Windows Analysis Report
Payment confirmation .exe

Overview

General Information

Sample Name:	Payment confirmation .exe
Analysis ID:	559231
MD5:	0d98108aa5a3383c2c3152cf2cd5ae9a
SHA1:	e08d7ba0bf0ac4f93d17e71d27a82dfb22058626
SHA256:	796f57da16fa76bd10afb6a16f9f75b78673f47556ce4d93d93ec34b5d898f61
Tags:	exenanocore
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Initial sample is a PE file and has a suspicious name

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Powershell Defender Exclusion

.NET source code contains method to dynamically call methods (often used by packers)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2616a878-9933-42e4-9fe0-3b57e29b", "Domain1": "naki.airdns.org", "Domain2": "37.120.210.211", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "faff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Source: Payment confirmation .exe	Virustotal: Detection: 31%			Perma Link
Source: Payment confirmation .exe	ReversingLabs: Detection: 32%

Antivirus detection for URL or domain

Source: 37.120.210.211

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBGUhLU.exe

ReversingLabs: Detection: 32%

Yara detected Nanocore RAT

Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR

Machine Learning detection for sample

Source: Payment confirmation .exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBGUhLU.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 21.0.Payment confirmation .exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.Payment confirmation .exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.Payment confirmation .exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.Payment confirmation .exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.Payment confirmation .exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.Payment confirmation .exe.6070000.9.unpack	Avira: Label: TR/NanoCore.fadte
Source: 21.0.Payment confirmation .exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance

Uses 32bit PE files

Source: Payment confirmation .exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Payment confirmation .exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 146.70.76.43 ports 56281,1,2,5,6,8

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 37.120.210.211
Source: Malware configuration extractor	URLs: naki.airdns.org

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TENET-1ZA TENET-1ZA

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49811 -> 146.70.76.43:56281

Source: Payment confirmation .exe, 00000000.00000003.357486991.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357630236.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357683121.0000000005CDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356117157.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356378144.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356305451.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Payment confirmation .exe, 00000000.00000003.357825255.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357302229.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357469019.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357024345.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357977143.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356575956.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356445695.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356700406.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356887648.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357619118.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357149641.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.como
Source: Payment confirmation .exe, 00000000.00000003.356378144.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comug
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment confirmation .exe, 00000000.00000003.367855914.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Payment confirmation .exe, 00000000.00000003.367709317.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html%
Source: Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com3
Source: Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com9
Source: Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comac
Source: Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comc
Source: Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comces
Source: Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comcyK
Source: Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comesH
Source: Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comhly
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comlg
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366744577.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comm
Source: Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comncyI
Source: Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comr-t
Source: Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comso
Source: Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366744577.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366935086.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367218271.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367116516.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366592843.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comt0
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comth
Source: Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366592843.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comva&
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comypo
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Payment confirmation .exe, 00000000.00000003.393018990.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.373895893.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380893532.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374935499.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382778780.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381168425.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment confirmation .exe, 00000000.00000003.380694836.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.393018990.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.393142180.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers%
Source: Payment confirmation .exe, 00000000.00000003.373895893.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374545461.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374384052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment confirmation .exe, 00000000.00000003.382357060.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlH
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment confirmation .exe, 00000000.00000003.382357060.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382554954.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382497875.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmle
Source: Payment confirmation .exe, 00000000.00000003.380972243.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381322016.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381187839.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381501028.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381061897.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380504872.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380770592.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380416970.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment confirmation .exe, 00000000.00000003.383170261.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersB
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment confirmation .exe, 00000000.00000003.383170261.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: Payment confirmation .exe, 00000000.00000003.376830096.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376667085.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersc
Source: Payment confirmation .exe, 00000000.00000003.376137586.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersh
Source: Payment confirmation .exe, 00000000.00000003.376667085.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376137586.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374935499.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers~
Source: Payment confirmation .exe, 00000000.00000002.559399340.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdia
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment confirmation .exe, 00000000.00000003.361861660.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnK
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363185032.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363056742.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnls(
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnmpa
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363185032.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363056742.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.361861660.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnno
Source: Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnrm
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnsof0
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment confirmation .exe, 00000000.00000003.386807451.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.386605316.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.387075190.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.387222007.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.386931372.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmo
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr-c
Source: Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.krmn-u
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment confirmation .exe, 00000000.00000003.386028171.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: Payment confirmation .exe, 00000000.00000003.353514887.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment confirmation .exe, 00000000.00000003.353514887.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comno.
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367781250.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment confirmation .exe, 00000000.00000003.368239598.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.368365048.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.368048501.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367781250.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367855914.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comd
Source: Payment confirmation .exe, 00000000.00000003.360911622.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.361056673.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360528445.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krTF
Source: Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr_
Source: Payment confirmation .exe, 00000000.00000003.360528445.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krs-c
Source: Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362814594.00000000012CC000.00000004.00000020.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment confirmation .exe, 00000000.00000003.362814594.00000000012CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.coms
Source: Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383309388.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383712360.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383422790.0000000005CD7000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383830654.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383630749.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383516270.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deg
Source: Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de~
Source: Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnk
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnls(
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.V

Source: unknown

DNS traffic detected: queries for: naki.airdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a raw input device (often for capturing keystrokes)

Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 21.2.Payment confirmation .exe.6800000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.6804c9f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.6800000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.5390000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.680e8a4.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.2e59678.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment confirmation .exe

Uses 32bit PE files

Source: Payment confirmation .exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 21.2.Payment confirmation .exe.6800000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6800000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.6804c9f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6804c9f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.6800000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6800000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.5390000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.5390000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.680e8a4.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.680e8a4.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.2e59678.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.2e59678.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_02BB6F80	0_2_02BB6F80
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_02BB6F72	0_2_02BB6F72
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_02BB6D30	0_2_02BB6D30
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_02BB6D22	0_2_02BB6D22
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_05794454	0_2_05794454
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_0579C658	0_2_0579C658
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_05792330	0_2_05792330
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_05790D94	0_2_05790D94
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_05791C18	0_2_05791C18
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_0758DDA8	0_2_0758DDA8
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07582102	0_2_07582102
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07585770	0_2_07585770
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07585508	0_2_07585508
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0119E471	21_2_0119E471
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0119E480	21_2_0119E480
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0119BBD4	21_2_0119BBD4
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_05376550	21_2_05376550
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_05373E30	21_2_05373E30
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0537BED8	21_2_0537BED8
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_05374A50	21_2_05374A50
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0537CAF0	21_2_0537CAF0
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_05374B08	21_2_05374B08
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0537CBAE	21_2_0537CBAE

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Payment confirmation .exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: Payment confirmation .exe, 00000000.00000002.558685046.0000000000A66000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameObjRefSurroga.exe0 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.567565837.00000000074C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.567891113.0000000007690000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000000.550290214.00000000009E6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameObjRefSurroga.exe0 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe	Binary or memory string: OriginalFilenameObjRefSurroga.exe0 vs Payment confirmation .exe

Source: Payment confirmation .exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: iBGUhLU.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Payment confirmation .exe	Virustotal: Detection: 31%
Source: Payment confirmation .exe	ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\Payment confirmation .exe

File read: C:\Users\user\Desktop\Payment confirmation .exe

Source: unknown	Process created: C:\Users\user\Desktop\Payment confirmation .exe "C:\Users\user\Desktop\Payment confirmation .exe"
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe	Jump to behavior

Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\Payment confirmation .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_01
Source: C:\Users\user\Desktop\Payment confirmation .exe	Mutant created: \Sessions\1\BaseNamedObjects\NFjYqzvaoo
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_01
Source: C:\Users\user\Desktop\Payment confirmation .exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2616a878-9933-42e4-9fe0-3b57e29bc1f5}

Source: Payment confirmation .exe, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Payment confirmation .exe, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: iBGUhLU.exe.0.dr, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: iBGUhLU.exe.0.dr, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.Payment confirmation .exe.8f0000.9.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.Payment confirmation .exe.8f0000.9.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.Payment confirmation .exe.8f0000.11.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.Payment confirmation .exe.8f0000.11.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: Payment confirmation .exe, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: iBGUhLU.exe.0.dr, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 21.0.Payment confirmation .exe.8f0000.9.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 21.0.Payment confirmation .exe.8f0000.11.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 21.0.Payment confirmation .exe.8f0000.1.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 21.0.Payment confirmation .exe.8f0000.0.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07310C15 push FFFFFF8Bh; iretd	0_2_07310C17
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_065618FC push E802005Eh; retf	21_2_06561901
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_06561912 pushad ; retf	21_2_06561929
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_06561904 push E801035Eh; ret	21_2_06561909

Source: initial sample	Static PE information: section name: .text entropy: 7.86642009336
Source: initial sample	Static PE information: section name: .text entropy: 7.86642009336

Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 5584	Thread sleep time: -34001s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 5408	Thread sleep time: -62000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 5728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3456	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 1352	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6227	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2358	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Window / User API: threadDelayed 3363	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Window / User API: threadDelayed 5848	Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 34001	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process token adjusted: Debug	Jump to behavior

Source: Payment confirmation .exe, 00000015.00000002.617436294.0000000002E92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\|$,
Source: Payment confirmation .exe, 00000015.00000002.617591812.0000000002FF8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.617574269.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621629051.000000000696E000.00000004.00000010.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.617436294.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621303249.0000000005EAB000.00000004.00000010.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621509072.000000000654E000.00000004.00000010.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621454017.00000000061CD000.00000004.00000010.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621476746.000000000630F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Payment confirmation .exe, 00000015.00000002.617436294.0000000002E92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager(h
Source: Payment confirmation .exe, 00000015.00000002.617436294.0000000002E92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx

Source: Payment confirmation .exe, 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Name	Malicious	Antivirus Detection	Reputation
37.120.210.211	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
naki.airdns.org	true	Avira URL Cloud: safe	unknown
0,0,343003226,0000000000A68000,00000002,00000001,01000000,00000003,3,D7A61577F9C39F0C	true		low

Windows Analysis Report Payment confirmation .exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Payment confirmation .exe

ID:	559231
Product:	CloudBasic
Start time:	05:29:25
Start date:	25.01.2022
Sample:	Payment confirmation .exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0d98108aa5a3383c2c3152cf2cd5ae9a
SHA1:	e08d7ba0bf0ac4f93d17e71d27a82dfb22058626
SHA256:	796f57da16fa76bd10afb6a16f9f75b78673f47556ce4d93d93ec34b5d898f61
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment confirmation .exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	D08243BF44C39C230E13DE5552CFC229	C05BE7254C2075C784DD4B232BFF0B6EA7B48BBD	3851DD96A08B0E86AC34F1FCB2D5A24F0A9AC75B9F1462C1072CBB5B8A38A13A
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bf0tqcoi.ti0.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fw12uc5a.y50.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp2497.tmp	XML 1.0 document, ASCII text	9A2AE254726CA1E04F7FD2936BC67727	AC650650400D0E16BB0096603F4FDB882EA30A5C	8B745FC3F6B96C0FFF0D79A1F2E19CED30436F4D52C5E6948D35D9A6B9CC0A6B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	data	94BD220310AF83D117DA8CA8A3BBCA0B	DCFE8F5B801F13E2D95BC41546A55A75A3EAEB10	4D8124FCE210AED26231BA07B7540B0AD6ED3F43A27B3A2C92DF26C7FBE0AF74
C:\Users\user\AppData\Roaming\iBGUhLU.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0D98108AA5A3383C2C3152CF2CD5AE9A	E08D7BA0BF0AC4F93D17E71D27A82DFB22058626	796F57DA16FA76BD10AFB6A16F9F75B78673F47556CE4D93D93EC34B5D898F61
C:\Users\user\AppData\Roaming\iBGUhLU.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20220125\PowerShell_transcript.928100.EGNDur5V.20220125053156.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	EED916291A2BFA3A57D4F776CD15D542	290FE8AB5F6D45987BBC4F488990B236CE80ECEA	9D914FC076BB34E47CA55D9920B38C72BD785D25971B2CD430E5F276C450BB08