Play interactive tour

Edit tour

Windows Analysis Report Payment confirmation .exe

Overview

General Information

Sample Name:	Payment confirmation .exe
Analysis ID:	551433
MD5:	aa035026516778019f8b8bd0e224fc03
SHA1:	efae7e259b4581830c7e6bfeb94ed6dd25a54229
SHA256:	39c5635ea42d63fe84500b9760fbe56e0fd3243007700749609bca1cd8d9e5d4
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Antivirus detection for URL or domain

Yara detected Nanocore RAT

Initial sample is a PE file and has a suspicious name

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Powershell Defender Exclusion

.NET source code contains method to dynamically call methods (often used by packers)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Payment confirmation .exe (PID: 6996 cmdline: "C:\Users\user\Desktop\Payment confirmation .exe" MD5: AA035026516778019F8B8BD0E224FC03)

powershell.exe (PID: 3604 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 3600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 3116 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Payment confirmation .exe (PID: 5432 cmdline: C:\Users\user\Desktop\Payment confirmation .exe MD5: AA035026516778019F8B8BD0E224FC03)

Payment confirmation .exe (PID: 5520 cmdline: C:\Users\user\Desktop\Payment confirmation .exe MD5: AA035026516778019F8B8BD0E224FC03)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "2616a878-9933-42e4-9fe0-3b57e29b", "Domain1": "naki.airdns.org", "Domain2": "37.120.210.211", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "faff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.730307873.0000000002611000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa865:$a: NanoCore 0xa8be:$a: NanoCore 0xa8fb:$a: NanoCore 0xa974:$a: NanoCore 0x1e01f:$a: NanoCore 0x1e034:$a: NanoCore 0x1e069:$a: NanoCore 0x4628a:$a: NanoCore 0x462a2:$a: NanoCore 0x462cb:$a: NanoCore 0x5f11b:$a: NanoCore 0x5f130:$a: NanoCore 0x5f165:$a: NanoCore 0x87372:$a: NanoCore 0x8738a:$a: NanoCore 0x873b3:$a: NanoCore 0xa8c7:$b: ClientPlugin 0xa904:$b: ClientPlugin 0xb202:$b: ClientPlugin 0xb20f:$b: ClientPlugin 0x1dddb:$b: ClientPlugin
0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000A.00000002.943393198.00000000052D0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000A.00000002.943393198.00000000052D0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x19e395:$x1: NanoCore.ClientPluginHost 0x1e8bb5:$x1: NanoCore.ClientPluginHost 0x2331d5:$x1: NanoCore.ClientPluginHost 0x19e3d2:$x2: IClientNetworkHost 0x1e8bf2:$x2: IClientNetworkHost 0x233212:$x2: IClientNetworkHost 0x1a1f05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1ec725:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x236d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19e0fd:$a: NanoCore 0x19e10d:$a: NanoCore 0x19e341:$a: NanoCore 0x19e355:$a: NanoCore 0x19e395:$a: NanoCore 0x1e891d:$a: NanoCore 0x1e892d:$a: NanoCore 0x1e8b61:$a: NanoCore 0x1e8b75:$a: NanoCore 0x1e8bb5:$a: NanoCore 0x232f3d:$a: NanoCore 0x232f4d:$a: NanoCore 0x233181:$a: NanoCore 0x233195:$a: NanoCore 0x2331d5:$a: NanoCore 0x19e15c:$b: ClientPlugin 0x19e35e:$b: ClientPlugin 0x19e39e:$b: ClientPlugin 0x1e897c:$b: ClientPlugin 0x1e8b7e:$b: ClientPlugin 0x1e8bbe:$b: ClientPlugin
00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Payment confirmation .exe PID: 6996	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x317b0c:$x1: NanoCore.ClientPluginHost 0x317b49:$x2: IClientNetworkHost 0x31b63a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3266c0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x333470:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x33e8db:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Payment confirmation .exe PID: 6996	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Payment confirmation .exe PID: 6996	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Payment confirmation .exe PID: 6996	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3177d9:$a: NanoCore 0x3177e9:$a: NanoCore 0x3178a8:$a: NanoCore 0x3178b7:$a: NanoCore 0x317ab8:$a: NanoCore 0x317acc:$a: NanoCore 0x317b0c:$a: NanoCore 0x322d2a:$a: NanoCore 0x322d3c:$a: NanoCore 0x322d78:$a: NanoCore 0x32fada:$a: NanoCore 0x32faec:$a: NanoCore 0x32fb28:$a: NanoCore 0x33af45:$a: NanoCore 0x33af57:$a: NanoCore 0x33af93:$a: NanoCore 0x317838:$b: ClientPlugin 0x317901:$b: ClientPlugin 0x317ad5:$b: ClientPlugin 0x317b15:$b: ClientPlugin 0x322d45:$b: ClientPlugin
Process Memory Space: Payment confirmation .exe PID: 5520	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2745b:$x1: NanoCore.ClientPluginHost 0x60627:$x1: NanoCore.ClientPluginHost 0x7875c:$x1: NanoCore.ClientPluginHost 0xbd2fb:$x1: NanoCore.ClientPluginHost 0x27498:$x2: IClientNetworkHost 0x60641:$x2: IClientNetworkHost 0x78776:$x2: IClientNetworkHost 0xbd315:$x2: IClientNetworkHost 0x2af89:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3600f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Payment confirmation .exe PID: 5520	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Payment confirmation .exe PID: 5520	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x27128:$a: NanoCore 0x27138:$a: NanoCore 0x271f7:$a: NanoCore 0x27206:$a: NanoCore 0x27407:$a: NanoCore 0x2741b:$a: NanoCore 0x2745b:$a: NanoCore 0x32679:$a: NanoCore 0x3268b:$a: NanoCore 0x326c7:$a: NanoCore 0x4958e:$a: NanoCore 0x495e9:$a: NanoCore 0x4965c:$a: NanoCore 0x60591:$a: NanoCore 0x605ea:$a: NanoCore 0x60627:$a: NanoCore 0x606a0:$a: NanoCore 0x60f4a:$a: NanoCore 0x60f9d:$a: NanoCore 0x60fd6:$a: NanoCore 0x61049:$a: NanoCore
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Payment confirmation .exe.363c208.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x5a9ad:$x1: NanoCore.ClientPluginHost 0xa4fcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x5a9ea:$x2: IClientNetworkHost 0xa500a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5e51d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa8b3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment confirmation .exe.363c208.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.363c208.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x5a715:$a: NanoCore 0x5a725:$a: NanoCore 0x5a959:$a: NanoCore 0x5a96d:$a: NanoCore 0x5a9ad:$a: NanoCore 0xa4d35:$a: NanoCore 0xa4d45:$a: NanoCore 0xa4f79:$a: NanoCore 0xa4f8d:$a: NanoCore 0xa4fcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x5a774:$b: ClientPlugin 0x5a976:$b: ClientPlugin 0x5a9b6:$b: ClientPlugin
10.2.Payment confirmation .exe.3a22a86.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x3c845:$x1: NanoCore.ClientPluginHost 0x556df:$x1: NanoCore.ClientPluginHost 0x7d92d:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x3c85f:$x2: IClientNetworkHost 0x5570c:$x2: IClientNetworkHost 0x7d947:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.3a22a86.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x3c845:$x2: NanoCore.ClientPluginHost 0x556df:$x2: NanoCore.ClientPluginHost 0x7d92d:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x3fb82:$s4: PipeCreated 0x567ba:$s4: PipeCreated 0x80c6a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x3c832:$s5: IClientLoggingHost 0x556f9:$s5: IClientLoggingHost 0x7d91a:$s5: IClientLoggingHost
10.2.Payment confirmation .exe.3a22a86.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.Payment confirmation .exe.3a22a86.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x3c804:$a: NanoCore 0x3c81c:$a: NanoCore 0x3c845:$a: NanoCore 0x55695:$a: NanoCore 0x556aa:$a: NanoCore 0x556df:$a: NanoCore 0x7d8ec:$a: NanoCore 0x7d904:$a: NanoCore 0x7d92d:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin
10.2.Payment confirmation .exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.Payment confirmation .exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
10.2.Payment confirmation .exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.Payment confirmation .exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Payment confirmation .exe.3686a28.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment confirmation .exe.3686a28.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Payment confirmation .exe.3686a28.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.3686a28.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
10.2.Payment confirmation .exe.52d0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.52d0000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
10.0.Payment confirmation .exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.0.Payment confirmation .exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
10.0.Payment confirmation .exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.0.Payment confirmation .exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
10.2.Payment confirmation .exe.62b4c9f.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.62b4c9f.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
10.0.Payment confirmation .exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.0.Payment confirmation .exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
10.0.Payment confirmation .exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.0.Payment confirmation .exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
10.2.Payment confirmation .exe.52e0000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.52e0000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
10.2.Payment confirmation .exe.52e0000.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.Payment confirmation .exe.62b0000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.62b0000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
0.2.Payment confirmation .exe.242da04.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
10.2.Payment confirmation .exe.29e4fc0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.29e4fc0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
10.2.Payment confirmation .exe.62b0000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.62b0000.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x333e6:$x1: NanoCore.ClientPluginHost 0x4c280:$x1: NanoCore.ClientPluginHost 0x744ce:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x33400:$x2: IClientNetworkHost 0x4c2ad:$x2: IClientNetworkHost 0x744e8:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x333e6:$x2: NanoCore.ClientPluginHost 0x4c280:$x2: NanoCore.ClientPluginHost 0x744ce:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x36723:$s4: PipeCreated 0x4d35b:$s4: PipeCreated 0x7780b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x333d3:$s5: IClientLoggingHost 0x4c29a:$s5: IClientLoggingHost 0x744bb:$s5: IClientLoggingHost
10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.Payment confirmation .exe.3a278bc.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.3a278bc.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
10.2.Payment confirmation .exe.3a278bc.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.0.Payment confirmation .exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.0.Payment confirmation .exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
10.0.Payment confirmation .exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.0.Payment confirmation .exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
10.2.Payment confirmation .exe.62be8a4.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.62be8a4.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
10.2.Payment confirmation .exe.52e4629.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.52e4629.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
10.2.Payment confirmation .exe.52e4629.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.0.Payment confirmation .exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.0.Payment confirmation .exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
10.0.Payment confirmation .exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.0.Payment confirmation .exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Payment confirmation .exe.3686a28.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x5a7ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x5a7ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5e31d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment confirmation .exe.3686a28.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x5a525:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x5a7ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x5bde6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x5bdda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x5cc8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x62a42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x5a7d7:$s5: IClientLoggingHost
0.2.Payment confirmation .exe.3686a28.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.3686a28.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x5a515:$a: NanoCore 0x5a525:$a: NanoCore 0x5a759:$a: NanoCore 0x5a76d:$a: NanoCore 0x5a7ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x5a574:$b: ClientPlugin 0x5a776:$b: ClientPlugin 0x5a7b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x5a69b:$c: ProjectData 0x10a82:$d: DESCrypto 0x5b0a2:$d: DESCrypto 0x1844e:$e: KeepAlive
10.0.Payment confirmation .exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.0.Payment confirmation .exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
10.0.Payment confirmation .exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.0.Payment confirmation .exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
10.2.Payment confirmation .exe.52e0000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.52e0000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
10.2.Payment confirmation .exe.52e0000.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.363c208.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment confirmation .exe.363c208.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Payment confirmation .exe.363c208.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.363c208.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
10.2.Payment confirmation .exe.3a278bc.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x37a0f:$x1: NanoCore.ClientPluginHost 0x508a9:$x1: NanoCore.ClientPluginHost 0x78af7:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x37a29:$x2: IClientNetworkHost 0x508d6:$x2: IClientNetworkHost 0x78b11:$x2: IClientNetworkHost
10.2.Payment confirmation .exe.3a278bc.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x37a0f:$x2: NanoCore.ClientPluginHost 0x508a9:$x2: NanoCore.ClientPluginHost 0x78af7:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x3ad4c:$s4: PipeCreated 0x51984:$s4: PipeCreated 0x7be34:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x379fc:$s5: IClientLoggingHost 0x508c3:$s5: IClientLoggingHost 0x78ae4:$s5: IClientLoggingHost
10.2.Payment confirmation .exe.3a278bc.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 69 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Payment confirmation .exe, ProcessId: 5520, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Suspicius Add Task From User AppData Temp

Show sources

Source: Process started

Author: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation .exe" , ParentImage: C:\Users\user\Desktop\Payment confirmation .exe, ParentProcessId: 6996, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp, ProcessId: 3116

Sigma detected: Powershell Defender Exclusion

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation .exe" , ParentImage: C:\Users\user\Desktop\Payment confirmation .exe, ParentProcessId: 6996, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe, ProcessId: 3604

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation .exe" , ParentImage: C:\Users\user\Desktop\Payment confirmation .exe, ParentProcessId: 6996, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe, ProcessId: 3604

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132864459695901373.3604.DefaultAppDomain.powershell

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2616a878-9933-42e4-9fe0-3b57e29b", "Domain1": "naki.airdns.org", "Domain2": "37.120.210.211", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "faff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Antivirus detection for URL or domain

Show sources

Source: 37.120.210.211

Avira URL Cloud: Label: malware

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR

Machine Learning detection for sample

Show sources

Source: Payment confirmation .exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\QNRauI.exe

Joe Sandbox ML: detected

Source: 10.2.Payment confirmation .exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.2.Payment confirmation .exe.52e0000.7.unpack	Avira: Label: TR/NanoCore.fadte
Source: 10.0.Payment confirmation .exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.0.Payment confirmation .exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.0.Payment confirmation .exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.0.Payment confirmation .exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.0.Payment confirmation .exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: Payment confirmation .exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Payment confirmation .exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 146.70.76.43 ports 56281,1,2,5,6,8

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 37.120.210.211
Source: Malware configuration extractor	URLs: naki.airdns.org

Source: Joe Sandbox View

ASN Name: TENET-1ZA TENET-1ZA

Source: global traffic

TCP traffic: 192.168.2.4:49761 -> 146.70.76.43:56281

Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677385911.0000000005408000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677536867.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677732929.0000000005409000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comM
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Payment confirmation .exe, 00000000.00000003.677558315.0000000005408000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677216510.0000000005403000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677385911.0000000005408000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677536867.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677732929.0000000005409000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comwit
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Payment confirmation .exe, 00000000.00000003.684072387.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment confirmation .exe, 00000000.00000003.679784035.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.679682374.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment confirmation .exe, 00000000.00000003.683286235.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.683406802.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.683351862.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment confirmation .exe, 00000000.00000003.683286235.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.683351862.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmld
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment confirmation .exe, 00000000.00000003.680816196.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersIUy
Source: Payment confirmation .exe, 00000000.00000003.679938204.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.694073095.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.679784035.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersTUF
Source: Payment confirmation .exe, 00000000.00000003.694127722.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersico
Source: Payment confirmation .exe, 00000000.00000003.694073095.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.694127722.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersnox
Source: Payment confirmation .exe, 00000000.00000003.683542352.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers~
Source: Payment confirmation .exe, 00000000.00000003.694127722.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers~Ul
Source: Payment confirmation .exe, 00000000.00000002.729385777.0000000000A74000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.commfet
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.676069541.000000000542F000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment confirmation .exe, 00000000.00000003.687634241.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment confirmation .exe, 00000000.00000003.687703540.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687634241.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/~Rm
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/C
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/L
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/O
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/;
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/C
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/pt-b
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/z
Source: Payment confirmation .exe, 00000000.00000003.680816196.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: Payment confirmation .exe, 00000000.00000003.687529964.000000000544C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687463634.000000000544C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687617708.000000000544C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687425665.000000000544C000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.p
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677972229.000000000542C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment confirmation .exe, 00000000.00000003.677944436.000000000542C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677972229.000000000542C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com.
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.como
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: naki.airdns.org

Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.52d0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.62b4c9f.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.62b0000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.29e4fc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.62b0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.62be8a4.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.943393198.00000000052D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Payment confirmation .exe

Source: Payment confirmation .exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.52d0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.52d0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.62b4c9f.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.62b4c9f.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.62b0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.62b0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.29e4fc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.29e4fc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.62b0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.62b0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.62be8a4.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.62be8a4.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.943393198.00000000052D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.943393198.00000000052D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_00082594	0_2_00082594
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_00A2C164	0_2_00A2C164
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_00A2E5A0	0_2_00A2E5A0
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_00A2E5B0	0_2_00A2E5B0
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_00A2FBE0	0_2_00A2FBE0
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07360EB6	0_2_07360EB6
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07360026	0_2_07360026
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07360040	0_2_07360040
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 9_2_000C2594	9_2_000C2594
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 10_2_006A2594	10_2_006A2594
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 10_2_0108E471	10_2_0108E471
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 10_2_0108E480	10_2_0108E480
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 10_2_0108BBD4	10_2_0108BBD4
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 10_2_04F8F5F8	10_2_04F8F5F8
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 10_2_04F89788	10_2_04F89788

Source: Payment confirmation .exe	Binary or memory string: OriginalFilename vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000003.697326569.000000000349E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.734838256.00000000071E0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe	Binary or memory string: OriginalFilename vs Payment confirmation .exe
Source: Payment confirmation .exe	Binary or memory string: OriginalFilename vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe	Binary or memory string: OriginalFilenameOnDeserializingAttribu.exe2 vs Payment confirmation .exe

Source: Payment confirmation .exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: QNRauI.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment confirmation .exe

File read: C:\Users\user\Desktop\Payment confirmation .exe

Jump to behavior

Source: Payment confirmation .exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment confirmation .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment confirmation .exe "C:\Users\user\Desktop\Payment confirmation .exe"
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe	Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

File created: C:\Users\user\AppData\Roaming\QNRauI.exe

Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

File created: C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/10@14/1

Source: C:\Users\user\Desktop\Payment confirmation .exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\Payment confirmation .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3600:120:WilError_01
Source: C:\Users\user\Desktop\Payment confirmation .exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2616a878-9933-42e4-9fe0-3b57e29bc1f5}
Source: C:\Users\user\Desktop\Payment confirmation .exe	Mutant created: \Sessions\1\BaseNamedObjects\lresUOKKCheNReqlZnYyzR

Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment confirmation .exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Payment confirmation .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment confirmation .exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Payment confirmation .exe, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: QNRauI.exe.0.dr, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Payment confirmation .exe.80000.0.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Payment confirmation .exe.80000.0.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.Payment confirmation .exe.c0000.3.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.Payment confirmation .exe.c0000.0.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.Payment confirmation .exe.c0000.1.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.Payment confirmation .exe.c0000.0.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.Payment confirmation .exe.c0000.2.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.6a0000.5.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.6a0000.9.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.6a0000.11.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.6a0000.1.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.6a0000.13.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Payment confirmation .exe.6a0000.1.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.6a0000.0.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: Payment confirmation .exe, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: QNRauI.exe.0.dr, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 0.2.Payment confirmation .exe.80000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 0.0.Payment confirmation .exe.80000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 9.0.Payment confirmation .exe.c0000.3.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 9.0.Payment confirmation .exe.c0000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 9.0.Payment confirmation .exe.c0000.1.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 9.2.Payment confirmation .exe.c0000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 9.0.Payment confirmation .exe.c0000.2.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.0.Payment confirmation .exe.6a0000.5.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.0.Payment confirmation .exe.6a0000.9.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.0.Payment confirmation .exe.6a0000.11.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.0.Payment confirmation .exe.6a0000.1.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.0.Payment confirmation .exe.6a0000.13.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.2.Payment confirmation .exe.6a0000.1.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.0.Payment confirmation .exe.6a0000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)

Source: C:\Users\user\Desktop\Payment confirmation .exe

Code function: 0_2_00A2F970 pushfd ; iretd

0_2_00A2F971

Source: initial sample	Static PE information: section name: .text entropy: 7.96359768292
Source: initial sample	Static PE information: section name: .text entropy: 7.96359768292

Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\Payment confirmation .exe

File created: C:\Users\user\AppData\Roaming\QNRauI.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\Payment confirmation .exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Payment confirmation .exe

File opened: C:\Users\user\Desktop\Payment confirmation .exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.Payment confirmation .exe.242da04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.730307873.0000000002611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Payment confirmation .exe, 00000000.00000002.730307873.0000000002611000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Payment confirmation .exe, 00000000.00000002.730307873.0000000002611000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 7000	Thread sleep time: -39064s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 7024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4260	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 6760	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4870	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3864	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Window / User API: threadDelayed 3782	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Window / User API: threadDelayed 5112	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Window / User API: foregroundWindowGot 769	Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 39064	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Payment confirmation .exe

Memory written: C:\Users\user\Desktop\Payment confirmation .exe base: 400000 value starts with: 4D5A

Jump to behavior

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe			Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe	Jump to behavior

Source: Payment confirmation .exe, 0000000A.00000002.940923801.0000000002E46000.00000004.00000001.sdmp, Payment confirmation .exe, 0000000A.00000002.941005381.0000000002E96000.00000004.00000001.sdmp, Payment confirmation .exe, 0000000A.00000002.941108443.0000000002ED0000.00000004.00000001.sdmp, Payment confirmation .exe, 0000000A.00000002.939580012.0000000001440000.00000002.00020000.sdmp, Payment confirmation .exe, 0000000A.00000002.941061864.0000000002ECE000.00000004.00000001.sdmp, Payment confirmation .exe, 0000000A.00000002.944136866.000000000615D000.00000004.00000010.sdmp, Payment confirmation .exe, 0000000A.00000002.944077289.000000000601D000.00000004.00000010.sdmp, Payment confirmation .exe, 0000000A.00000002.944022787.0000000005DDC000.00000004.00000010.sdmp, Payment confirmation .exe, 0000000A.00000002.939799082.00000000029FB000.00000004.00000001.sdmp, Payment confirmation .exe, 0000000A.00000002.939992078.0000000002AE8000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: Payment confirmation .exe, 0000000A.00000002.939580012.0000000001440000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Payment confirmation .exe, 0000000A.00000002.939580012.0000000001440000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Payment confirmation .exe, 0000000A.00000002.940923801.0000000002E46000.00000004.00000001.sdmp, Payment confirmation .exe, 0000000A.00000002.939992078.0000000002AE8000.00000004.00000001.sdmp	Binary or memory string: Program Manager\|$
Source: Payment confirmation .exe, 0000000A.00000002.939580012.0000000001440000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Users\user\Desktop\Payment confirmation .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Users\user\Desktop\Payment confirmation .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Payment confirmation .exe, 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection112	Masquerading1	Input Capture11	Security Software Discovery11	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools11	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing23	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Payment confirmation .exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\QNRauI.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
10.2.Payment confirmation .exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
10.2.Payment confirmation .exe.52e0000.7.unpack	100%	Avira	TR/NanoCore.fadte	Download File
10.0.Payment confirmation .exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
10.0.Payment confirmation .exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
10.0.Payment confirmation .exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
10.0.Payment confirmation .exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
10.0.Payment confirmation .exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.jiyu-kobo.co.jp/jp/C	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
37.120.210.211	100%	Avira URL Cloud	malware
naki.airdns.org	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/;	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/pt-b	0%	Avira URL Cloud	safe
http://www.monotype.p	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/)	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comM	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.commfet	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/O	0%	URL Reputation	safe
http://www.tiro.como	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/L	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/C	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/;	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/y	0%	URL Reputation	safe
http://www.sakkal.com.	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/z	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/t	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/)	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/p	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.carterandcone.comwit	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/~Rm	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
naki.airdns.org	146.70.76.43	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
37.120.210.211	true	Avira URL Cloud: malware	unknown
naki.airdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersIUy	Payment confirmation .exe, 00000000.00000003.680816196.0000000005433000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/C	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false		high
http://www.tiro.com	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Payment confirmation .exe, 00000000.00000003.684072387.0000000005433000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersnox	Payment confirmation .exe, 00000000.00000003.694073095.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.694127722.0000000005433000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677385911.0000000005408000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677536867.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677732929.0000000005409000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/;	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/pt-b	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.p	Payment confirmation .exe, 00000000.00000003.687529964.000000000544C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687463634.000000000544C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687617708.000000000544C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687425665.000000000544C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersTUF	Payment confirmation .exe, 00000000.00000003.679938204.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.694073095.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.679784035.0000000005433000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/)	Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677972229.000000000542C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comM	Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/	Payment confirmation .exe, 00000000.00000003.687634241.0000000005433000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.commfet	Payment confirmation .exe, 00000000.00000002.729385777.0000000000A74000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/O	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers~	Payment confirmation .exe, 00000000.00000003.683542352.0000000005433000.00000004.00000001.sdmp	false		high
http://www.tiro.como	Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/L	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/C	Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersico	Payment confirmation .exe, 00000000.00000003.694127722.0000000005433000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmld	Payment confirmation .exe, 00000000.00000003.683286235.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.683351862.0000000005433000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/;	Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/y	Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com.	Payment confirmation .exe, 00000000.00000003.677944436.000000000542C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677972229.000000000542C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/z	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.676069541.000000000542F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/t	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	Payment confirmation .exe, 00000000.00000003.683286235.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.683406802.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.683351862.0000000005433000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0/	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.monotype.	Payment confirmation .exe, 00000000.00000003.680816196.0000000005433000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/)	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/p	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comwit	Payment confirmation .exe, 00000000.00000003.677558315.0000000005408000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677216510.0000000005403000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677385911.0000000005408000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677536867.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677732929.0000000005409000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/~Rm	Payment confirmation .exe, 00000000.00000003.687703540.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687634241.0000000005433000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers~Ul	Payment confirmation .exe, 00000000.00000003.694127722.0000000005433000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/	Payment confirmation .exe, 00000000.00000003.679784035.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.679682374.0000000005433000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
146.70.76.43	naki.airdns.org	United Kingdom		2018	TENET-1ZA	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	551433
Start date:	12.01.2022
Start time:	08:24:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Payment confirmation .exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/10@14/1
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 34.8% (good quality ratio 17.4%) Quality average: 37.2% Quality standard deviation: 38%
HCA Information:	Successful, ratio: 99% Number of executed functions: 52 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, settings-win.data.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Execution Graph export aborted for target Payment confirmation .exe, PID 5432 because there are no executed function Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:26:02	API Interceptor	831x Sleep call for process: Payment confirmation .exe modified
08:26:12	API Interceptor	44x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
naki.airdns.org	Payment confirmation .exe	Get hash	malicious	Browse	37.120.210.211
	Payment confirmation .exe	Get hash	malicious	Browse	194.187.251.163
	dhlDocument .exe	Get hash	malicious	Browse	37.120.210.211
	dhlDocument .exe	Get hash	malicious	Browse	37.120.210.211
	MT103-Advance.Payment..pdf.exe	Get hash	malicious	Browse	213.152.161.249
	dhlDocument .exe	Get hash	malicious	Browse	37.120.210.211

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TENET-1ZA	b3astmode.x86	Get hash	malicious	Browse	152.106.77.36
	4SiZKGBMOY	Get hash	malicious	Browse	154.114.95.162
	8I4YXRv374	Get hash	malicious	Browse	196.21.55.105
	UgNtYb3T3d	Get hash	malicious	Browse	155.238.0.92
	loligang.arm	Get hash	malicious	Browse	155.240.194.123
	K0FLQjeV3N	Get hash	malicious	Browse	146.230.43.157
	sora.x86	Get hash	malicious	Browse	155.232.197.127
	DP035lJwIY	Get hash	malicious	Browse	143.136.135.230
	jKira.arm7	Get hash	malicious	Browse	146.68.57.79
	hVF2AR667H	Get hash	malicious	Browse	146.69.137.46
	phantom.arm	Get hash	malicious	Browse	155.238.0.61
	Phth1g5WrS	Get hash	malicious	Browse	146.70.175.226
	apep.x86	Get hash	malicious	Browse	196.21.188.204
	cmVrSTjlzC	Get hash	malicious	Browse	146.141.187.92
	arm-20211227-1850	Get hash	malicious	Browse	152.116.100.79
	teuS3WQvbS	Get hash	malicious	Browse	143.128.168.145
	1bQEi8dbIi	Get hash	malicious	Browse	146.70.175.216
	c0r0n4x.x86	Get hash	malicious	Browse	146.239.195.224
	CjQiyGmTp3	Get hash	malicious	Browse	143.128.168.136
	arm6-20211225-0506	Get hash	malicious	Browse	146.232.26.16

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment confirmation .exe.log Download File
Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
MD5:	A9EFF9253CAF99EC8665E41D736DDAED
SHA1:	D95BB4ABC856D774DA4602A59DE252B4BF560530
SHA-256:	DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
SHA-512:	96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22280
Entropy (8bit):	5.603448558149079
Encrypted:	false
SSDEEP:	384:GtCDm0k8v6v30rXSJScSBKnYjultIab7Y9gtbSJ3xyT1MaDZlbAV7O4l6ZBDI+ip:eQ23MXE4KYClt17hcwC6fwoVg
MD5:	438CEF22F7B9AB115F27C9E03ED52A92
SHA1:	3E50A0EF10FB3EE05A1772B685114078755E461C
SHA-256:	4DDC221F1F2DA6CD48D3117C60008429D9F2631F0BF7C5DF8927989ECBB05CCC
SHA-512:	BB186A39B67EA9D43ED556451FCE481451C5A8F995867FC84CD7D1815D1D5A6BB1323710979FF0CF0378E2C5439318E3ED42CEBEA7212213AA293BC2763DFA0C
Malicious:	false
Reputation:	low
Preview:	@...e...........y.......h.............y...I..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qnk0ivh.iyj.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mevy52tz.tt5.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp Download File
Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1593
Entropy (8bit):	5.1360806454884385
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtadxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuT+v
MD5:	B0A91C23E82AA9831131A946DC8882B2
SHA1:	6ACB72396925F2655F17259CB41980C1E77B5BBB
SHA-256:	830508EBB4A30C675781AA7A61A4A3B41379B090CC472B86368AA906849E39B8
SHA-512:	3B0104905227E5357708DE138902E7FD99DD89145A829B1EFC5878097A3DC49CCF0E0162629D019E30B39DA89D5E1050553A7F749A9B29AC47D899B9DAC44158
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	SysEx File - Twister
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:p2Bn:e
MD5:	6D4C80C6B89E030207C12FF4661B6118
SHA1:	7401D0D745A13BD2905E25C23E65421C382391A9
SHA-256:	EBABE9E7478812E1D324E5F7D94EFA80B73BAB3E1A3CFC9E155047BC3858344F
SHA-512:	812A64696E0931C6B19AA555B24F21003D58758276ACE42F45F9A58BFEFD67FD3AA2089B2F17285D6D498507E8B2411BEB11D9B93490F849ABC8225A911A6741
Malicious:	true
Preview:	.%7...H

C:\Users\user\AppData\Roaming\QNRauI.exe Download File
Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	542720
Entropy (8bit):	7.954488841460159
Encrypted:	false
SSDEEP:	12288:bXGyj7pcvY2GblmQ1S3IAHQ7RBw/73iErP:fTc3bwNBwuEr
MD5:	AA035026516778019F8B8BD0E224FC03
SHA1:	EFAE7E259B4581830C7E6BFEB94ED6DD25A54229
SHA-256:	39C5635EA42D63FE84500B9760FBE56E0FD3243007700749609BCA1CD8D9E5D4
SHA-512:	A2CBCE6A6597479167089339504B7BC39BAE9845F2295397062F2FFE1B79037A5640208663A5E208D87856CEEADD1EFE061B933ED69A79D572BD597F3FF75899
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v.a..............0..<..........NZ... ...`....@.. ....................................@..................................Y..O....`............................................................................... ............... ..H............text...T:... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............F..............@..B................0Z......H........L...\......6...\|...............................................&.(......*..(..........0...........r...pr...p.QsF....+....0...........r;..prA..p.EsF....+....0...........rw..pr...p.VsF....+....0...........r...pr...p.JsF....+....0...........r...pr...p.ZsF....+....0...........r+..pr1..p.Z.MsG....+......0...........rg..pro..p.Z.MsG....+......0...........r...pr...p.Z.MsG....+......0...........r...pr...ps=....+......0...........r...pr#..ps=....+......0..........

C:\Users\user\AppData\Roaming\QNRauI.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20220112\PowerShell_transcript.830021.GhMaXGHf.20220112082610.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5773
Entropy (8bit):	5.39117162081354
Encrypted:	false
SSDEEP:	96:BZIjKNxqDo1ZSZNjKNxqDo1ZxrpzjZ/jKNxqDo1Zbajj5Zh:x
MD5:	322C10DE7FC412A3E88EABCEB5DD0130
SHA1:	51593CE60CD26DD9EF22B0784C44CB381CE5D4A8
SHA-256:	43AD0D4351316231CFCB26AC59E6F01839779EEFF38D961A10D251ACE4172D9B
SHA-512:	5BECB37FE14E9735811D84CD391891E276FE903A0CCD0D42D3782AEE792A06F01B9A37A72FDC207F331CADB7894CF933CE35F579AED2A73B55AFB78B0A052B83
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220112082611..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 830021 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\QNRauI.exe..Process ID: 3604..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220112082611..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\QNRauI.exe..********************..Windows PowerShell transcript start..Start time: 20220112083015..Username: computer\user..RunAs User: computer\user..Confi

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.954488841460159
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Payment confirmation .exe
File size:	542720
MD5:	aa035026516778019f8b8bd0e224fc03
SHA1:	efae7e259b4581830c7e6bfeb94ed6dd25a54229
SHA256:	39c5635ea42d63fe84500b9760fbe56e0fd3243007700749609bca1cd8d9e5d4
SHA512:	a2cbce6a6597479167089339504b7bc39bae9845f2295397062f2ffe1b79037a5640208663a5e208d87856ceeadd1efe061b933ed69a79d572bd597f3ff75899
SSDEEP:	12288:bXGyj7pcvY2GblmQ1S3IAHQ7RBw/73iErP:fTc3bwNBwuEr
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v.a..............0..<..........NZ... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x485a4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61DE7680 [Wed Jan 12 06:34:40 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x859fc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x86000	0x6d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x83a54	0x83c00	False	0.961252520161	data	7.96359768292	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x86000	0x6d4	0x800	False	0.37109375	data	3.68471441086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x86090	0x444	data
RT_MANIFEST	0x864e4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Development In Progress Ltd 2015
Assembly Version	2.0.0.0
InternalName	OnDeserializingAttribu.exe
FileVersion	2.0.0.0
CompanyName	Development In Progress Ltd
LegalTrademarks
Comments	A simple mechanism to maintain state for an activity based workflow
ProductName	DipState
ProductVersion	2.0.0.0
FileDescription	DipState
OriginalFilename	OnDeserializingAttribu.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2022 08:26:21.496448994 CET	49761	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:22.120800972 CET	56281	49761	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:22.120923042 CET	49761	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:22.169342041 CET	49761	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:22.806607962 CET	56281	49761	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:22.886548042 CET	49761	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:23.670886993 CET	56281	49761	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:23.670964003 CET	49761	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:24.113238096 CET	49761	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:24.461231947 CET	56281	49761	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:24.463196993 CET	49761	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:28.601921082 CET	49762	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:29.336673975 CET	56281	49762	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:29.336815119 CET	49762	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:29.337460041 CET	49762	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:30.403642893 CET	56281	49762	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:30.403872967 CET	49762	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:31.048769951 CET	56281	49762	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:31.049668074 CET	49762	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:31.680993080 CET	56281	49762	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:31.681144953 CET	49762	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:32.112807035 CET	49762	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:32.365627050 CET	56281	49762	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:32.365787029 CET	49762	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:36.703120947 CET	49763	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:37.318804026 CET	56281	49763	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:37.318968058 CET	49763	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:37.320342064 CET	49763	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:38.045265913 CET	56281	49763	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:38.045907974 CET	49763	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:38.754287958 CET	56281	49763	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:38.754364967 CET	49763	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:39.186594963 CET	49763	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:39.422841072 CET	56281	49763	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:39.422904968 CET	49763	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:44.189121962 CET	49764	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:44.937760115 CET	56281	49764	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:44.938009977 CET	49764	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:45.537900925 CET	49764	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:46.152734995 CET	56281	49764	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:46.153064966 CET	49764	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:46.791004896 CET	56281	49764	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:46.791949987 CET	49764	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:47.401065111 CET	56281	49764	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:47.441382885 CET	49764	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:47.587512970 CET	49764	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:52.017040014 CET	49782	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:52.662681103 CET	56281	49782	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:52.663507938 CET	49782	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:52.664336920 CET	49782	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:53.306962013 CET	56281	49782	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:53.307307005 CET	49782	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:53.926824093 CET	56281	49782	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:53.926914930 CET	49782	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:54.590934992 CET	56281	49782	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:54.614583015 CET	49782	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:59.051279068 CET	49800	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:59.664710999 CET	56281	49800	146.70.76.43	192.168.2.4
Jan 12, 2022 08:26:59.664861917 CET	49800	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:26:59.665734053 CET	49800	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:00.306605101 CET	56281	49800	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:00.310446024 CET	49800	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:00.944751978 CET	56281	49800	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:00.944825888 CET	49800	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:01.615020990 CET	49800	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:01.750566959 CET	56281	49800	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:01.750693083 CET	49800	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:05.965873003 CET	49807	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:06.588663101 CET	56281	49807	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:06.588757992 CET	49807	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:06.589562893 CET	49807	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:07.352962971 CET	56281	49807	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:07.353127003 CET	49807	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:08.115328074 CET	56281	49807	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:08.115432024 CET	49807	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:08.677973032 CET	49807	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:08.926760912 CET	56281	49807	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:08.926947117 CET	49807	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:13.191730022 CET	49809	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:13.806905031 CET	56281	49809	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:13.807552099 CET	49809	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:13.808307886 CET	49809	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:14.548984051 CET	56281	49809	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:14.551913023 CET	49809	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:15.320391893 CET	56281	49809	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:15.320805073 CET	49809	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:15.757601976 CET	49809	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:16.172713041 CET	56281	49809	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:16.172801018 CET	49809	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:20.217061996 CET	49827	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:20.880790949 CET	56281	49827	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:20.881078005 CET	49827	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:20.888781071 CET	49827	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:21.752861023 CET	56281	49827	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:21.752984047 CET	49827	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:22.616928101 CET	56281	49827	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:22.617002010 CET	49827	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:22.913781881 CET	49827	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:23.307008028 CET	56281	49827	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:23.307956934 CET	49827	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:27.186053991 CET	49833	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:28.458776951 CET	56281	49833	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:28.458915949 CET	49833	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:28.459662914 CET	49833	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:29.107300997 CET	56281	49833	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:29.107474089 CET	49833	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:30.047758102 CET	56281	49833	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:30.047956944 CET	49833	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:30.862916946 CET	56281	49833	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:30.913831949 CET	49833	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:30.961359978 CET	49833	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:35.924621105 CET	49834	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:36.596743107 CET	56281	49834	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:36.597906113 CET	49834	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:37.272458076 CET	49834	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:37.914793015 CET	56281	49834	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:37.914933920 CET	49834	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:38.596807957 CET	56281	49834	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:38.596961975 CET	49834	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:39.305906057 CET	49834	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:39.438813925 CET	56281	49834	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:39.438925028 CET	49834	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:43.647303104 CET	49836	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:44.255228043 CET	56281	49836	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:44.255361080 CET	49836	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:44.265652895 CET	49836	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:45.160152912 CET	56281	49836	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:45.160247087 CET	49836	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:45.925698042 CET	56281	49836	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:45.925803900 CET	49836	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:46.306391001 CET	49836	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:46.539414883 CET	56281	49836	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:46.539520979 CET	49836	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:50.812954903 CET	49840	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:51.493918896 CET	56281	49840	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:51.494250059 CET	49840	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:51.495151043 CET	49840	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:52.282653093 CET	56281	49840	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:52.283170938 CET	49840	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:52.918529034 CET	56281	49840	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:52.918648958 CET	49840	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:53.775053978 CET	56281	49840	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:53.778959990 CET	49840	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:54.307682037 CET	49840	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:55.046422958 CET	56281	49840	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:55.046506882 CET	49840	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:58.344065905 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:58.994076014 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:58.994205952 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:58.994560003 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:27:59.621408939 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:27:59.621694088 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:00.710805893 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:00.711735010 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:00.775665998 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:01.378849030 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:01.379713058 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.036911011 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.062705994 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.062966108 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.063015938 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.063030005 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.063043118 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.063061953 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.063074112 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.063082933 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.063087940 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.063091040 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.063101053 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.063149929 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.063159943 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.063163042 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.063178062 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.063828945 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.063931942 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.680911064 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.680958033 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.681006908 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.681034088 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.681062937 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.681066036 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.681097031 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.681099892 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.681112051 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.681128979 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.681163073 CET	49841	56281	192.168.2.4	146.70.76.43
Jan 12, 2022 08:28:02.681644917 CET	56281	49841	146.70.76.43	192.168.2.4
Jan 12, 2022 08:28:02.681896925 CET	56281	49841	146.70.76.43	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2022 08:26:21.358510017 CET	62389	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:26:21.463951111 CET	53	62389	8.8.8.8	192.168.2.4
Jan 12, 2022 08:26:28.396239996 CET	49910	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:26:28.600332975 CET	53	49910	8.8.8.8	192.168.2.4
Jan 12, 2022 08:26:36.512564898 CET	55854	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:26:36.701642990 CET	53	55854	8.8.8.8	192.168.2.4
Jan 12, 2022 08:26:44.168963909 CET	64549	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:26:44.187479019 CET	53	64549	8.8.8.8	192.168.2.4
Jan 12, 2022 08:26:51.997921944 CET	63116	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:26:52.014723063 CET	53	63116	8.8.8.8	192.168.2.4
Jan 12, 2022 08:26:59.029360056 CET	64078	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:26:59.048402071 CET	53	64078	8.8.8.8	192.168.2.4
Jan 12, 2022 08:27:05.947813034 CET	61721	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:27:05.964391947 CET	53	61721	8.8.8.8	192.168.2.4
Jan 12, 2022 08:27:13.125575066 CET	51255	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:27:13.144364119 CET	53	51255	8.8.8.8	192.168.2.4
Jan 12, 2022 08:27:20.194072008 CET	61522	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:27:20.212605953 CET	53	61522	8.8.8.8	192.168.2.4
Jan 12, 2022 08:27:27.167675972 CET	52337	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:27:27.183885098 CET	53	52337	8.8.8.8	192.168.2.4
Jan 12, 2022 08:27:35.424280882 CET	55046	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:27:35.440875053 CET	53	55046	8.8.8.8	192.168.2.4
Jan 12, 2022 08:27:43.627265930 CET	49285	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:27:43.646083117 CET	53	49285	8.8.8.8	192.168.2.4
Jan 12, 2022 08:27:50.791979074 CET	60875	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:27:50.810436010 CET	53	60875	8.8.8.8	192.168.2.4
Jan 12, 2022 08:27:58.324325085 CET	56448	53	192.168.2.4	8.8.8.8
Jan 12, 2022 08:27:58.343009949 CET	53	56448	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 12, 2022 08:26:21.358510017 CET	192.168.2.4	8.8.8.8	0xa905	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:26:28.396239996 CET	192.168.2.4	8.8.8.8	0x5745	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:26:36.512564898 CET	192.168.2.4	8.8.8.8	0xf50	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:26:44.168963909 CET	192.168.2.4	8.8.8.8	0x6bab	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:26:51.997921944 CET	192.168.2.4	8.8.8.8	0xf097	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:26:59.029360056 CET	192.168.2.4	8.8.8.8	0x5e15	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:05.947813034 CET	192.168.2.4	8.8.8.8	0x7c75	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:13.125575066 CET	192.168.2.4	8.8.8.8	0xb2df	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:20.194072008 CET	192.168.2.4	8.8.8.8	0x37d	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:27.167675972 CET	192.168.2.4	8.8.8.8	0x4dd2	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:35.424280882 CET	192.168.2.4	8.8.8.8	0x70e1	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:43.627265930 CET	192.168.2.4	8.8.8.8	0x150b	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:50.791979074 CET	192.168.2.4	8.8.8.8	0xa18a	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:58.324325085 CET	192.168.2.4	8.8.8.8	0xf965	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 12, 2022 08:26:21.463951111 CET	8.8.8.8	192.168.2.4	0xa905	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:26:28.600332975 CET	8.8.8.8	192.168.2.4	0x5745	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:26:36.701642990 CET	8.8.8.8	192.168.2.4	0xf50	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:26:44.187479019 CET	8.8.8.8	192.168.2.4	0x6bab	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:26:52.014723063 CET	8.8.8.8	192.168.2.4	0xf097	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:26:59.048402071 CET	8.8.8.8	192.168.2.4	0x5e15	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:05.964391947 CET	8.8.8.8	192.168.2.4	0x7c75	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:13.144364119 CET	8.8.8.8	192.168.2.4	0xb2df	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:20.212605953 CET	8.8.8.8	192.168.2.4	0x37d	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:27.183885098 CET	8.8.8.8	192.168.2.4	0x4dd2	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:35.440875053 CET	8.8.8.8	192.168.2.4	0x70e1	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:43.646083117 CET	8.8.8.8	192.168.2.4	0x150b	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:50.810436010 CET	8.8.8.8	192.168.2.4	0xa18a	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)
Jan 12, 2022 08:27:58.343009949 CET	8.8.8.8	192.168.2.4	0xf965	No error (0)	naki.airdns.org	146.70.76.43	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Payment confirmation .exe PID: 6996 Parent PID: 1088

General

Start time:	08:25:51
Start date:	12/01/2022
Path:	C:\Users\user\Desktop\Payment confirmation .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment confirmation .exe"
Imagebase:	0x80000
File size:	542720 bytes
MD5 hash:	AA035026516778019F8B8BD0E224FC03
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.730307873.0000000002611000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 3604 Parent PID: 6996

General

Start time:	08:26:09
Start date:	12/01/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe
Imagebase:	0x1210000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3600 Parent PID: 3604

General

Start time:	08:26:09
Start date:	12/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 3116 Parent PID: 6996

General

Start time:	08:26:10
Start date:	12/01/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp
Imagebase:	0x1060000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5036 Parent PID: 3116

General

Start time:	08:26:12
Start date:	12/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Payment confirmation .exe PID: 5432 Parent PID: 6996

General

Start time:	08:26:13
Start date:	12/01/2022
Path:	C:\Users\user\Desktop\Payment confirmation .exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Payment confirmation .exe
Imagebase:	0xc0000
File size:	542720 bytes
MD5 hash:	AA035026516778019F8B8BD0E224FC03
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Payment confirmation .exe PID: 5520 Parent PID: 6996

General

Start time:	08:26:14
Start date:	12/01/2022
Path:	C:\Users\user\Desktop\Payment confirmation .exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Payment confirmation .exe
Imagebase:	0x6a0000
File size:	542720 bytes
MD5 hash:	AA035026516778019F8B8BD0E224FC03
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.943393198.00000000052D0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.943393198.00000000052D0000.00000004.00020000.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Payment confirmation .exe PID: 6996 Parent PID: 1088 Payment confirmation .exeCOMMON

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	253
Total number of Limit Nodes:	11

Executed Functions

Function 00A2FBE0, Relevance: 1.8, APIs: 1, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce5fb46a38da5cfc3bb31eaf9e6986a4d72056042aed21c002351ae391d2de6
Instruction ID: ab75bb4b165b431e81b5d79f5c1c47a2f3212689fbb39e696b935e3fc08c1879
Opcode Fuzzy Hash: 9ce5fb46a38da5cfc3bb31eaf9e6986a4d72056042aed21c002351ae391d2de6
Instruction Fuzzy Hash: 56916C71C093889FCB06CFA4C8909DDBFB1EF4B304F1A85AAE485AB263D7345956CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A298A8, Relevance: 3.1, APIs: 2, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A29916
DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A2B8BE,?,?,?,?,?), ref: 00A2B97F

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID: Handle$DuplicateModule
String ID:
API String ID: 2228235409-0
Opcode ID: 6d0f8e6f85d843d7c358e2829279a3d440a96f61ca9ae4b757cd9d98836af3c8
Instruction ID: 9ece6112a31797dbaeaa44a8b59b308dbc663bb91ee62a1776eab394f4910156
Opcode Fuzzy Hash: 6d0f8e6f85d843d7c358e2829279a3d440a96f61ca9ae4b757cd9d98836af3c8
Instruction Fuzzy Hash: 884123B5D003489FCB10CF9AD584ADEBBF4EB49324F14806AE818B7210D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073673A4, Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073675E6

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 039c690969469ca98309d0e4abb608984b949a186c655a4160bafee48916b777
Instruction ID: f68db090d86441f36477f2f5626af3131fb2efdbe59a566e391a36807fe52fd0
Opcode Fuzzy Hash: 039c690969469ca98309d0e4abb608984b949a186c655a4160bafee48916b777
Instruction Fuzzy Hash: 10A19EB1D0022ACFEB10CF68C8857EDBBB2FF44318F1581A9D809A7284DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 073673B0, Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073675E6

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7419796525c2c6f3d3b62d098f37cfda4e2f911e8bde26bfb264de57abcd13a9
Instruction ID: abc0b20f5a12a28919d889e6c00425c9dc0b9b3e04ba0674a3ac8e8fe96afda5
Opcode Fuzzy Hash: 7419796525c2c6f3d3b62d098f37cfda4e2f911e8bde26bfb264de57abcd13a9
Instruction Fuzzy Hash: E5918FB1D0022ACFEB11CF68C8857EDBBB2BF44318F5581A9D809A7254DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A2FD2C, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A2FE4A

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dd1534cdfca61dad581922c286f6b4958bce6ff540665922f7c541d32ce2bea1
Instruction ID: 23b0d741569615151a62f697f430c5c48eb4537dc94b0ce54e40595e53c2f9aa
Opcode Fuzzy Hash: dd1534cdfca61dad581922c286f6b4958bce6ff540665922f7c541d32ce2bea1
Instruction Fuzzy Hash: E151CEB1D00319DFDB15CFA9D980ADEBBB1FF88314F25812AE819AB251D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A2DE0C, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A2FE4A

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d790c2a509d09be9303893df3c62914ae96dfb53c0553aaedf50cd37e46d27b4
Instruction ID: f2c49ec8e28f6108e80d3669dc74827f34044198429cfa1ff9cb56290a2fbe39
Opcode Fuzzy Hash: d790c2a509d09be9303893df3c62914ae96dfb53c0553aaedf50cd37e46d27b4
Instruction Fuzzy Hash: 6451D0B1D00318DFDB15CF99D984ADEBBB5BF88314F25822AE819AB210D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A2536C, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A25429

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 947ce52a3d1509c3a3b4a13e9623271ef7eaaa4cf00ba7668c53ae30a1b06d73
Instruction ID: b3b4bd3f82f585507c69a359c5b487f74cbb1817e25c9674c62ea254fddfa526
Opcode Fuzzy Hash: 947ce52a3d1509c3a3b4a13e9623271ef7eaaa4cf00ba7668c53ae30a1b06d73
Instruction Fuzzy Hash: 9A411370C04619CFDB24DFA9C884BDEBBB2BF49308F258169D408BB251DB756986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A23DE8, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A25429

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2f053a3f6925d30c62824648b1eec6e1a414ced1931f5376a679d9eedf4b285f
Instruction ID: bc0a38a2f2702bca7663d40012947fa6f357a6f7fd1149febf93207b0c5584f4
Opcode Fuzzy Hash: 2f053a3f6925d30c62824648b1eec6e1a414ced1931f5376a679d9eedf4b285f
Instruction Fuzzy Hash: E0410470C0461DCBDB24DFA9C8447DEBBB6BF49308F248169D509BB250DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07367120, Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073671B8

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 581d57b56ae8908bf0698dfd888cb52f805d41b59707075c2afa8d181851fd4b
Instruction ID: 5e077d6554f0a14c11bfb14d56a33f161d5b94e76b91c58fc990d5b0b1af78dd
Opcode Fuzzy Hash: 581d57b56ae8908bf0698dfd888cb52f805d41b59707075c2afa8d181851fd4b
Instruction Fuzzy Hash: E2215AB19003099FCB00CFA9C985BDEBBF5FF48314F14842AE919A7340DB789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07367128, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073671B8

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 232422529c2cc6612af0448ab8cf6bd2230e2a6894ebd10980b362dbd2b24f1e
Instruction ID: 9c954bef149a64507fe0a800b2cfdb7cb77abdf5757978c00c8b2b77767018a8
Opcode Fuzzy Hash: 232422529c2cc6612af0448ab8cf6bd2230e2a6894ebd10980b362dbd2b24f1e
Instruction Fuzzy Hash: BA2127B19003199FCB00CFA9C985BEEBBF5FF48314F54842AE919A7240DB789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07366F88, Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,00000000), ref: 0736700E

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: aea2068855349ecbd95a80303b088403b79050b247a5bd8173e194467b9d8aab
Instruction ID: e0956af469d0537fc47c93f1943ae7c65c853d5584ca98c188fbed9aeea7be21
Opcode Fuzzy Hash: aea2068855349ecbd95a80303b088403b79050b247a5bd8173e194467b9d8aab
Instruction Fuzzy Hash: 8D214CB1D003099FDB10DFA9C5857EEBBF4EF48358F248429D559AB240CB789946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A29840, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A2B8BE,?,?,?,?,?), ref: 00A2B97F

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f91084c40100ff566f89f9a2a2af09323db66aa3ef9d1e4ae7555d66494ca285
Instruction ID: e3150609c50f118b044e71b3fa959ac9f77256bed306109bdd2075c3b59a0758
Opcode Fuzzy Hash: f91084c40100ff566f89f9a2a2af09323db66aa3ef9d1e4ae7555d66494ca285
Instruction Fuzzy Hash: 7A21D4B59002199FDB10CF99D584AEEBBF8FB48314F14842AE914A7310D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07367211, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07367298

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5b0db011b9fb56a4b7c6917c846859d0fcf5c3b9820953431c8f4bbddcb8f441
Instruction ID: 6c1e50d12b0d45cb52c8bfd229769620dc9d6584923a39c6173e0c69658d7a12
Opcode Fuzzy Hash: 5b0db011b9fb56a4b7c6917c846859d0fcf5c3b9820953431c8f4bbddcb8f441
Instruction Fuzzy Hash: 682136B1C002199FCB00CFA9D8846EEBBB5FF48324F55842AE519A7240CB789905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07366F90, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,00000000), ref: 0736700E

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 1a5e88ac27976d0e4144894c542e4bee9ce6098442a4bbb15cac6bccc1a3a3c6
Instruction ID: a046e7619b76807adb4fafb03b750df7b0c8971397e2ef6f1319adddaec043dd
Opcode Fuzzy Hash: 1a5e88ac27976d0e4144894c542e4bee9ce6098442a4bbb15cac6bccc1a3a3c6
Instruction Fuzzy Hash: 592149B1D003099FDB10DFAAC9857EEBBF4EF48218F148429D519A7240CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07367218, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07367298

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 026beaf18ddd10cf160f15d9efd7a0728faade8ef917c0362f50a279c4d7e340
Instruction ID: 4a50b943faf5dd019f7f9c10d171c669681a80206247114b40badddfc3aa42c7
Opcode Fuzzy Hash: 026beaf18ddd10cf160f15d9efd7a0728faade8ef917c0362f50a279c4d7e340
Instruction Fuzzy Hash: 4F2159B1C003099FCB00CFAAC884BEEBBF5FF48314F548429E519A7240CB789905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B8F0, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A2B8BE,?,?,?,?,?), ref: 00A2B97F

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 802624f110bf1e10f9454888e5d5f7adc77da1bd015cc40a5382adf9e1b82802
Instruction ID: ce2954ff1caa8512749ebde8ba487330a918cfdf2212325f5e046c70390fed20
Opcode Fuzzy Hash: 802624f110bf1e10f9454888e5d5f7adc77da1bd015cc40a5382adf9e1b82802
Instruction Fuzzy Hash: 7F2112B5D00208DFCB00CFA9E584ADEBBF5FB48324F14801AE914A7350C778A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07367060, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073670D6

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1111e44dc8b190535ca6dd2261fd11cfe0c9180862be3fc397b929b3a7a2d876
Instruction ID: fd404f7b5c0ec3953b2e1457d1ac2042ef2e87f9b9bbc144647ff2814cbd6ded
Opcode Fuzzy Hash: 1111e44dc8b190535ca6dd2261fd11cfe0c9180862be3fc397b929b3a7a2d876
Instruction Fuzzy Hash: 061126719006099FCB10DFA9D8447EFBBF5FB88324F248819E519AB250CB799945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A294B8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A29991,00000800,00000000,00000000), ref: 00A29BA2

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f46b57b2e198cc04a521cfaa6cf6ceae09862678b659b4da08844cc855b15913
Instruction ID: dca21be040cdb40ddb791ebdadbf6f29aee3fc54df97723d6894257b32010c74
Opcode Fuzzy Hash: f46b57b2e198cc04a521cfaa6cf6ceae09862678b659b4da08844cc855b15913
Instruction Fuzzy Hash: 261133B29002088FCB10CF9AE444ADEBBF4EB88724F14842AE915A7200C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07367068, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073670D6

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e24d33f7b4502270d412a5bbc35f744491378ab4772448fa363e74e102084e07
Instruction ID: 34d9e09659c5b6444d2ae3983bb4a9f13c166e52d537e45f9c00823df37ae1b5
Opcode Fuzzy Hash: e24d33f7b4502270d412a5bbc35f744491378ab4772448fa363e74e102084e07
Instruction Fuzzy Hash: F21137719002099FCB10DFA9D844BEFBBF5EF48324F248819E519A7250CB75A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07366ED8, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07366F42

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 90cdf730b97e492e0a56a0f8cf8b0e229808fd096a817a845ab5f8dabbc8c5f2
Instruction ID: 4728d52774fa45a531143a2154337b831095bc3eafa01a16edb7aac75faca57c
Opcode Fuzzy Hash: 90cdf730b97e492e0a56a0f8cf8b0e229808fd096a817a845ab5f8dabbc8c5f2
Instruction Fuzzy Hash: 95116AB1D042498FDB10CFA9D4857EEFBF4EB88224F258419D519BB640CB789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A29B30, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A29991,00000800,00000000,00000000), ref: 00A29BA2

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 182ca23dfc1cca0076423597cb3565644dfc6ea7d42f2508563c976202862224
Instruction ID: 11a6bc7fc025efb1b2565fbace154d42daff02b259e2686181a2118fdedc1746
Opcode Fuzzy Hash: 182ca23dfc1cca0076423597cb3565644dfc6ea7d42f2508563c976202862224
Instruction Fuzzy Hash: 1A1126B6D002098FCB14CF99E544BDEFBF5BB88324F14842ED959A7200C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07366EE0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07366F42

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 616f6f282cf91bc87ee6ad28bb7a152916f55dcf7e353083739f5062e8cf0546
Instruction ID: 4420a0313679a1ba90423fab6bb438150a9ff8b4ae5fc9d841c9d10bf2ec6a68
Opcode Fuzzy Hash: 616f6f282cf91bc87ee6ad28bb7a152916f55dcf7e353083739f5062e8cf0546
Instruction Fuzzy Hash: 22116AB1D003498FCB10CFAAD4457EFFBF4EB88224F248419D519B7240CB78A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A298B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A29916

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bc1c292cb8e82505bfdb261e5463de54c178d350dbbb91e05f3734b930c02f1c
Instruction ID: a1c1172e341158ebd315e5f79ed71a388003744088d1a01f565274fabebdb7a7
Opcode Fuzzy Hash: bc1c292cb8e82505bfdb261e5463de54c178d350dbbb91e05f3734b930c02f1c
Instruction Fuzzy Hash: C3110FB5D006498FCB10CF9AD444ADEFBF4EB89724F14842AD429B7200C778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0736B730, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0736B795

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 668c1bdc5ce9bb1b4858922d1d5261fbce25c13b6a1ee36ddf231cdd29a7a01d
Instruction ID: 4691b502b6551c422e2c3b1b7e1650cebbdf944361bb66111eebbbbf29d83c39
Opcode Fuzzy Hash: 668c1bdc5ce9bb1b4858922d1d5261fbce25c13b6a1ee36ddf231cdd29a7a01d
Instruction Fuzzy Hash: EB1125B58003499FDB10CF99D988BDEBBF8EB48324F248419E418A7200C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0736B738, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0736B795

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a2b2cf54740ee94698f82dea76f33469470941e54cbf9246d23c179959e18b87
Instruction ID: b00aa55d02dc5b68a26e95c11ed5179f63c175c8438843fe657bb41ffbcec89e
Opcode Fuzzy Hash: a2b2cf54740ee94698f82dea76f33469470941e54cbf9246d23c179959e18b87
Instruction Fuzzy Hash: 8911D0B58007499FDB10CF99D989BDEFBF8FB48324F24881AE519A7600C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 008CD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.729101370.00000000008CD000.00000040.00000001.sdmp, Offset: 008CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8cd000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b96742c21fdd77e8440f62e52cb219114b5e02db4720d632f1403d068108f7
Instruction ID: 63231d8fa8e4ca25e8f61a588073e3289037cb8ce460a66653b5e738eecae5ae
Opcode Fuzzy Hash: 12b96742c21fdd77e8440f62e52cb219114b5e02db4720d632f1403d068108f7
Instruction Fuzzy Hash: 3021BD71604B449FDB14EF18D9C0F16BBA5FB84328F24C9BDD90A8B246C73AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 008CD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.729101370.00000000008CD000.00000040.00000001.sdmp, Offset: 008CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8cd000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1614896f957b53b601953458acf92b7a00ec913ef9ff07cfbfe1b6a85e23eac0
Instruction ID: 826f5a53b388aacef3147553cd857410c8ff6a125aedf6972c3381f5b2eefe41
Opcode Fuzzy Hash: 1614896f957b53b601953458acf92b7a00ec913ef9ff07cfbfe1b6a85e23eac0
Instruction Fuzzy Hash: 98219DB1604344AFDB05EF54D9C0F26BBB5FB84318F24C9BDE9498B246C736E846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 008CD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.729101370.00000000008CD000.00000040.00000001.sdmp, Offset: 008CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8cd000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc16c29598044954f4980a0c83147da8b9812f1b5fa16f843667af26126a180b
Instruction ID: 76f58db531f8c95c8a6330c36bb22225bf0400e04083748c7c095699b8961684
Opcode Fuzzy Hash: cc16c29598044954f4980a0c83147da8b9812f1b5fa16f843667af26126a180b
Instruction Fuzzy Hash: 01118E75504280DFDB11DF10D6C4B15BB71FB84314F28C6ADD8498B656C33AE85ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 008CD017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.729101370.00000000008CD000.00000040.00000001.sdmp, Offset: 008CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8cd000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc16c29598044954f4980a0c83147da8b9812f1b5fa16f843667af26126a180b
Instruction ID: cef381e9ef941aecdd5addce0783aa0df114dd88c5e8c1970e760c8816fe8c5c
Opcode Fuzzy Hash: cc16c29598044954f4980a0c83147da8b9812f1b5fa16f843667af26126a180b
Instruction Fuzzy Hash: 4811BB75504780DFCB11DF14D6C4B16BBB1FB84324F28C6AED8498B656C33AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00082594, Relevance: 3.9, Instructions: 3909COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.728391842.0000000000082000.00000002.00020000.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.728362988.0000000000080000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b29b6829ca543415d72bd40f6545b68b94dffe41ceb85d6655b340b5428fbd8
Instruction ID: 67b17f64583736fb611819518fdc47bf0168c4915997ce76f141457fbcbb9430
Opcode Fuzzy Hash: 4b29b6829ca543415d72bd40f6545b68b94dffe41ceb85d6655b340b5428fbd8
Instruction Fuzzy Hash: BA73F56240E7C25FCB139BB85CB52D17FB1AE6721471E49CBC4C0CF0A3E5186A6AD726

Uniqueness

Uniqueness Score: -1.00%

Function 07360EB6, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

UUUU, xrefs: 07360F6F

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 3a18fe050722960fb23730dc0a448f7f3c1301e5e11de2db45fe108d7ef26c2e
Instruction ID: 2507bbd0b86b8f3ac9bfbebb2417902065f9c87d04b9bec8cda121d4b92940ac
Opcode Fuzzy Hash: 3a18fe050722960fb23730dc0a448f7f3c1301e5e11de2db45fe108d7ef26c2e
Instruction Fuzzy Hash: B9515F74E156288FDBA4CFACC98078DB7F2AF48314F2485A9D50DEB215DB349A89CF05

Uniqueness

Uniqueness Score: -1.00%

Function 00A2E5B0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3deefe3158e7f67afa5f08ca3e070aab2355f394bfb83d331bf4141c8b414889
Instruction ID: a2b859e1f2aedf22530b1bda2d71523ca6abdfc03edb7e51b1f49928a78a742e
Opcode Fuzzy Hash: 3deefe3158e7f67afa5f08ca3e070aab2355f394bfb83d331bf4141c8b414889
Instruction Fuzzy Hash: 081270F1D11B46CAE710CFB5EDAC1893BA1B7453AAB914308D2612BAF1D7B8154BCF84

Uniqueness

Uniqueness Score: -1.00%

Function 00A2C164, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377b31ff7f309b8e61217037fb1b4261d79303052dcbaeee783515bac2c3eedc
Instruction ID: a775c9a401e935692b901d875535e014e8ce4b08527ebbb1edf817204d908b78
Opcode Fuzzy Hash: 377b31ff7f309b8e61217037fb1b4261d79303052dcbaeee783515bac2c3eedc
Instruction Fuzzy Hash: 05A16C32E00229CFCF05DFA9D9449DEB7B2FF85300B15857AE905BB262EB71A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A2E5A0, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.729229168.0000000000A20000.00000040.00000001.sdmp, Offset: 00A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d538f1290a427ec164744a3db4dc424d9dc56170f87dbd36f1e1b66ca2f9330
Instruction ID: bdb048ec4da4349cd63a3743ecaab374de450aca681357c81cd9f80b4c855789
Opcode Fuzzy Hash: 5d538f1290a427ec164744a3db4dc424d9dc56170f87dbd36f1e1b66ca2f9330
Instruction Fuzzy Hash: CFC1E7B1D11B46CAD710CFB5ECAC1897BB1BB8536AF514309D2612BAE1E7B8144BCF84

Uniqueness

Uniqueness Score: -1.00%

Function 07360026, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd47cb4aa75a5b0aa08f9779b458d5b686e4d013de397fb38d069b1f8bd2a1c
Instruction ID: ec975dbed131cdee8fc722eb02aa8f1f111779cc632f42240faf8405d55650bb
Opcode Fuzzy Hash: ecd47cb4aa75a5b0aa08f9779b458d5b686e4d013de397fb38d069b1f8bd2a1c
Instruction Fuzzy Hash: EA4162B1E056588BEB1CCF6B8C4078AFAF7AFC5200F14C1FAC90CAA215DB3449868F15

Uniqueness

Uniqueness Score: -1.00%

Function 07360040, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.735070644.0000000007360000.00000040.00000001.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7bc5397aba14c0a8344e2c33ba2a7761f356b858c2ca378214332e5abd70a5
Instruction ID: 3a3b53e856c8c2a121b09c1e2072903a47fc12a51aa48ab328e1391269d203c6
Opcode Fuzzy Hash: 1d7bc5397aba14c0a8344e2c33ba2a7761f356b858c2ca378214332e5abd70a5
Instruction Fuzzy Hash: F34132B1E016588BEB5CCF6B8C4478AFAF7AFC9204F14C1BA850CA6218EB7049858F15

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Payment confirmation .exe PID: 5520 Parent PID: 6996 Payment confirmation .exeCOMMON

Execution Graph

Execution Coverage:	14.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	183
Total number of Limit Nodes:	8

Executed Functions

Function 0108FAA0, Relevance: 1.8, APIs: 1, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.939419978.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b5364e621c9c5086acb361f8caf99e92205059ed5c30a11167dd4cffa31f48
Instruction ID: 28e06aa9e4aa6f4257788b41ced7c09ef811d438272a53068c8cb23ccf6d67bb
Opcode Fuzzy Hash: 89b5364e621c9c5086acb361f8caf99e92205059ed5c30a11167dd4cffa31f48
Instruction Fuzzy Hash: 3C919CB1C193899FDB02DFA4C8909CDBFB1EF0A340F2981AAE444AB252D7395846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010893E8, Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0108962E

Memory Dump Source

Source File: 0000000A.00000002.939419978.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_Payment confirmation .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6770a064e53e582992b8039e97e19b07eeddec6c4847143065b310c225b9691d
Instruction ID: 135d2ce555ffaebd553c0a37a17c8dfa05837e55953b421d0894546724928af8
Opcode Fuzzy Hash: 6770a064e53e582992b8039e97e19b07eeddec6c4847143065b310c225b9691d
Instruction Fuzzy Hash: 35715770A04B058FD764EF2AC4417AABBF1FF88208F108A6ED586D7A50DB34E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0108DA04, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0108FD0A

Memory Dump Source

Source File: 0000000A.00000002.939419978.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_Payment confirmation .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 20f12a1e18ce468d9d83220a4cd50dfc4760c3601c9c6d95205bf32e9574e852
Instruction ID: b21b9f3f24f45bccbaaf469f8e065cb41310d0e0045984423d59ec66f572ba88
Opcode Fuzzy Hash: 20f12a1e18ce468d9d83220a4cd50dfc4760c3601c9c6d95205bf32e9574e852
Instruction Fuzzy Hash: 1E51E0B1D043099FDB14DFA9C980ADEBBB5FF48310F24812AE919AB210D774A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F83474, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 04F846B1

Memory Dump Source

Source File: 0000000A.00000002.942501938.0000000004F80000.00000040.00000001.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f80000_Payment confirmation .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9977e927909a0895826527455f163e87ad56dd7d0cc12138fa9beb5f5d12e5be
Instruction ID: 8be6a4aa6200fc73a8d04d1b3f8e28430090226920657c04e0fe9aa9a2e98089
Opcode Fuzzy Hash: 9977e927909a0895826527455f163e87ad56dd7d0cc12138fa9beb5f5d12e5be
Instruction Fuzzy Hash: 8C41F371D0461DCBDB24DFA9C844BCEBBF1BF49308F258169D808AB250EB756946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04F82470, Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04F82531

Memory Dump Source

Source File: 0000000A.00000002.942501938.0000000004F80000.00000040.00000001.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f80000_Payment confirmation .jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 9c426b361f1e9d102a6223bd301a875497cf55ef01bfedde414349f5fda87920
Instruction ID: 8277cd8bbfb089e0f6e48e9bae16a41a3b6c85fb8bc24ad9893d7ec1a34c736a
Opcode Fuzzy Hash: 9c426b361f1e9d102a6223bd301a875497cf55ef01bfedde414349f5fda87920
Instruction Fuzzy Hash: 624129B5A002058FDB14DF99C488AABBBF5FB88314F25849DD519AB361D734E942CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F8B898, Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.942501938.0000000004F80000.00000040.00000001.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f80000_Payment confirmation .jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: dd86a6445a3202fb1ea203d52c1dbdc23abe93ba741e14ffac019d97884d1c5a
Instruction ID: a6441a59b5a00b7921041b05c545d33885a017012949730ea5b67ac21f14be3d
Opcode Fuzzy Hash: dd86a6445a3202fb1ea203d52c1dbdc23abe93ba741e14ffac019d97884d1c5a
Instruction Fuzzy Hash: EB3169719042499FDB01DFA9D800ADEBFF8EF09310F18805AF954AB221C739A855DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108A14C, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0108BCC6,?,?,?,?,?), ref: 0108BD87

Memory Dump Source

Source File: 0000000A.00000002.939419978.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_Payment confirmation .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2952260c50d3cc83cbc86c09c629c171a99a590c435fb518895faf05dc088abe
Instruction ID: 3e780d4d3232e55fc698012fecf62a46c64cbf4c18d4c4501a1ea2a82d797098
Opcode Fuzzy Hash: 2952260c50d3cc83cbc86c09c629c171a99a590c435fb518895faf05dc088abe
Instruction Fuzzy Hash: FD21E3B5904308AFDB10DF99D984ADEBBF4EB48324F14842AE954A7310D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108BCF9, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0108BCC6,?,?,?,?,?), ref: 0108BD87

Memory Dump Source

Source File: 0000000A.00000002.939419978.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_Payment confirmation .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6bf7016781c3bb7d24d4953d4dd486c704fc9a34eb7f80b784608190a7085486
Instruction ID: 947e011dda21bc177640c0d93a2dc1ab8e53e87284b28b133ae4de61a2a1c129
Opcode Fuzzy Hash: 6bf7016781c3bb7d24d4953d4dd486c704fc9a34eb7f80b784608190a7085486
Instruction Fuzzy Hash: 6C21F5B5D00208AFDB10DFA9D584ADEBFF4FB48320F14841AE958A7310D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F8A504, Relevance: 1.6, APIs: 1, Instructions: 56
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,04F8B8B2,?,?,?,?,?), ref: 04F8B957

Memory Dump Source

Source File: 0000000A.00000002.942501938.0000000004F80000.00000040.00000001.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f80000_Payment confirmation .jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 4394fa72ca0d6a9c6c8624ebf5892ba3448948dd98965733f5bc683e4197dead
Instruction ID: efef717f17025cc868bb73d6def75f0eb2fb6f1fb64ea04ff0c741111be2b104
Opcode Fuzzy Hash: 4394fa72ca0d6a9c6c8624ebf5892ba3448948dd98965733f5bc683e4197dead
Instruction Fuzzy Hash: FF1167B29002499FDB10DF9AD944BDEBFF8EB48320F14841AE914B7210C738A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01089849, Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,010896A9,00000800,00000000,00000000), ref: 010898BA

Memory Dump Source

Source File: 0000000A.00000002.939419978.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_Payment confirmation .jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5ac716cb0affc5e69243927e69a212531e475097560519d4062aad3167f1de1a
Instruction ID: 30d67d1058a416faaa9f3cd911607e758f3c2cf952100ef7bd7e8cc9d83ef954
Opcode Fuzzy Hash: 5ac716cb0affc5e69243927e69a212531e475097560519d4062aad3167f1de1a
Instruction Fuzzy Hash: 9C1103B6D00209CFDB10DF9AD544ADEBBF4EB88324F14842AD555A7600C778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01088768, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,010896A9,00000800,00000000,00000000), ref: 010898BA

Memory Dump Source

Source File: 0000000A.00000002.939419978.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_Payment confirmation .jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 286e2b3ca924db6c403494f7d921411b713a2b0e608a59469b4b8899c4551d80
Instruction ID: b8e6887b388380274b553ed4fe6524bae82e61824f231c312a5d57829a6f8cb2
Opcode Fuzzy Hash: 286e2b3ca924db6c403494f7d921411b713a2b0e608a59469b4b8899c4551d80
Instruction Fuzzy Hash: 161124B5904209CFDB10DF9AD444BEEBBF4AB88314F14842ED555A7200C778A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F832D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,010553E8,00000000,?), ref: 04F8E73D

Memory Dump Source

Source File: 0000000A.00000002.942501938.0000000004F80000.00000040.00000001.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f80000_Payment confirmation .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b6360d05373d5de9adf3e66b3db69efe9a5d21301f7bc01c6743da79da3a422f
Instruction ID: cef850b63943fe451b76ef94cf71a12ea5030a780a5e49963b97d585dbe35a51
Opcode Fuzzy Hash: b6360d05373d5de9adf3e66b3db69efe9a5d21301f7bc01c6743da79da3a422f
Instruction Fuzzy Hash: AC116AB59003099FDB10DF99C845BEFBBF8EB48320F148419E954A7240D778A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108FE38, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0108FE28,?,?,?,?), ref: 0108FE9D

Memory Dump Source

Source File: 0000000A.00000002.939419978.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_Payment confirmation .jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2bc885fefca507de1926288ebf5e0098ac6016f3f3f7d58a0dfef5914883c22a
Instruction ID: 5b4516dc2846b1639ca9caa81cf7524455fc8509994f661a4223709e4197a9c9
Opcode Fuzzy Hash: 2bc885fefca507de1926288ebf5e0098ac6016f3f3f7d58a0dfef5914883c22a
Instruction Fuzzy Hash: 131130B59002098FDB20DF99D585BDEBBF8EB48724F20841AE858B7241C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F850D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 04F8D29D

Memory Dump Source

Source File: 0000000A.00000002.942501938.0000000004F80000.00000040.00000001.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f80000_Payment confirmation .jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4e4a3fd3a17b685f0f9b293177187f508edbd1574d29732c1ee20ec6b069ff8f
Instruction ID: 164d4b17ca8ca00e870b8b7fd1a8092e25cc992476d4d1ec553cead7ca9ae0da
Opcode Fuzzy Hash: 4e4a3fd3a17b685f0f9b293177187f508edbd1574d29732c1ee20ec6b069ff8f
Instruction Fuzzy Hash: E111F5B59002099FDB10DF99D545BDEBBF8EB48324F148419E914B7240D775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F8A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,04F8BC49,?,?,00000000), ref: 04F8BCBD

Memory Dump Source

Source File: 0000000A.00000002.942501938.0000000004F80000.00000040.00000001.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f80000_Payment confirmation .jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b9ee648a4869b9aea64b158d9c963e9b006b1d5cdd72f521a40981ec3a0dd2d9
Instruction ID: dbfc5f81dc8b5c6e960e34aef863b9be61bc747df63e6898f83982283efd6398
Opcode Fuzzy Hash: b9ee648a4869b9aea64b158d9c963e9b006b1d5cdd72f521a40981ec3a0dd2d9
Instruction Fuzzy Hash: AD1122B59003089FDB10DF89D985BDFBBF8EB48324F148419E914AB200C778A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F81540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,04F8226A,?,00000000,?), ref: 04F8C435

Memory Dump Source

Source File: 0000000A.00000002.942501938.0000000004F80000.00000040.00000001.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f80000_Payment confirmation .jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2c09c796be7e2ff0d6f414cd77eded2618ee08b2a02005cad8f1bca55958e87c
Instruction ID: eb8a3bf5534e5365c05a3d291483deaff30d92c55b90a9164da0b8583693cf22
Opcode Fuzzy Hash: 2c09c796be7e2ff0d6f414cd77eded2618ee08b2a02005cad8f1bca55958e87c
Instruction Fuzzy Hash: 9A1148B58003489FDB10DF99D945BDFBBF8EB48324F108419E914B7600C374A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010895C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0108962E

Memory Dump Source

Source File: 0000000A.00000002.939419978.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_Payment confirmation .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d72f1a79ad80738e38b95d008dcfed97369df671c7d65f649b1b9a7c4af95072
Instruction ID: 2871b6bd7878bd2d4b954dae20608901703514290ce4787c9f1298e2c1038516
Opcode Fuzzy Hash: d72f1a79ad80738e38b95d008dcfed97369df671c7d65f649b1b9a7c4af95072
Instruction Fuzzy Hash: 121110B5C006098FDB10DF9AD444BDEFBF4AF88228F14842AD859A7200C778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0108FE28,?,?,?,?), ref: 0108FE9D

Memory Dump Source

Source File: 0000000A.00000002.939419978.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1080000_Payment confirmation .jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2db129ee3f344275bfcd7ee2c08a86b7b732346a8097eaf7ae2d7cbd51cf625b
Instruction ID: 7c7ace8d7a0f445d68d6a0f3c2bb8f0a59939e7a64d6f517cf20e1702f7515a1
Opcode Fuzzy Hash: 2db129ee3f344275bfcd7ee2c08a86b7b732346a8097eaf7ae2d7cbd51cf625b
Instruction Fuzzy Hash: D11145B59002098FDB10DF99D585BDFBBF8EB48324F14841AE954B7341C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F8DC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 04F8F435

Memory Dump Source

Source File: 0000000A.00000002.942501938.0000000004F80000.00000040.00000001.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4f80000_Payment confirmation .jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ff8a6c18c7ea705abe91795e72c24d6a35a357be3b715c254a32f26bd4d019b7
Instruction ID: 393ee43181b17db12c7c148ddf914e4a0bf5c8b774f4c199f8ec3d3a1c7f4592
Opcode Fuzzy Hash: ff8a6c18c7ea705abe91795e72c24d6a35a357be3b715c254a32f26bd4d019b7
Instruction Fuzzy Hash: 851142B19002088FCB10DF99D589BDFBBF4EB48324F24841AE519BB600C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FED4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.939177620.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fed000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf9ec5b40cc0be235ca3fb5dc24d0cca9c4d61d3d311fdc2610b7caef7fc5f0
Instruction ID: cb52298bbf75028985f21fcac894beaa6671a0be0abab6d9773efa46db76268e
Opcode Fuzzy Hash: caf9ec5b40cc0be235ca3fb5dc24d0cca9c4d61d3d311fdc2610b7caef7fc5f0
Instruction Fuzzy Hash: F5210672904380DFDB01CF54D9C0B16BBA5FB94328F388569D9050B656C336D855EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.939204736.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ffd000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e7463e22556a8e5a14e0080e3b8458be506984c695afb0f6dc59a3d1b0d153
Instruction ID: a82c0987fb26a25066109383447a75b08bffab933b5bd954ccdfc20cecca7c4e
Opcode Fuzzy Hash: 62e7463e22556a8e5a14e0080e3b8458be506984c695afb0f6dc59a3d1b0d153
Instruction Fuzzy Hash: 6821F571604248DFDB14DF14D5C0B26BBA6FF84324F34C569DA094B36ACB36D847EA61

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.939204736.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ffd000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6f647409aed394e18d3251a554d7858590fcaadd7f14f66f59fd815014713b
Instruction ID: 7ceabca6cfa3ca723a98bdb9847bf92ad6466b92d5e4e462fc8ae22d9268434b
Opcode Fuzzy Hash: 9d6f647409aed394e18d3251a554d7858590fcaadd7f14f66f59fd815014713b
Instruction Fuzzy Hash: 992171755093848FCB02CF20D590715BF71EF46224F28C5EAD9498B6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FED49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.939177620.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fed000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f94134bb014abb579cfd279659e17573a78b517b5aeb89abd8cbe1213a7701
Instruction ID: e276dab27b4d3d4cd4530ac1d84ba68335002ed2281ecfd7d6281bcf791302bd
Opcode Fuzzy Hash: 14f94134bb014abb579cfd279659e17573a78b517b5aeb89abd8cbe1213a7701
Instruction Fuzzy Hash: 7C11B176804380CFDB12CF14D6C4B16BF71FB84324F28C6A9D8050B656C336D85ADBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Payment confirmation .exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Function 00A2FBE0, Relevance: 1.8, APIs: 1, Instructions: 258
COMMON

Function 00A298A8, Relevance: 3.1, APIs: 2, Instructions: 115
COMMON

Function 073673A4, Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Function 073673B0, Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00A2FD2C, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 00A2DE0C, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 00A2536C, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00A23DE8, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON