Edit tour

Windows Analysis Report
Payment confirmation .exe

Overview

General Information

Sample Name:	Payment confirmation .exe
Analysis ID:	559231
MD5:	0d98108aa5a3383c2c3152cf2cd5ae9a
SHA1:	e08d7ba0bf0ac4f93d17e71d27a82dfb22058626
SHA256:	796f57da16fa76bd10afb6a16f9f75b78673f47556ce4d93d93ec34b5d898f61
Tags:	exenanocore
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Initial sample is a PE file and has a suspicious name

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Powershell Defender Exclusion

.NET source code contains method to dynamically call methods (often used by packers)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Payment confirmation .exe (PID: 4540 cmdline: "C:\Users\user\Desktop\Payment confirmation .exe" MD5: 0D98108AA5A3383C2C3152CF2CD5AE9A)

powershell.exe (PID: 5776 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4688 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Payment confirmation .exe (PID: 5116 cmdline: C:\Users\user\Desktop\Payment confirmation .exe MD5: 0D98108AA5A3383C2C3152CF2CD5AE9A)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "2616a878-9933-42e4-9fe0-3b57e29b", "Domain1": "naki.airdns.org", "Domain2": "37.120.210.211", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "faff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69457:$a: NanoCore 0x694b0:$a: NanoCore 0x694ed:$a: NanoCore 0x69566:$a: NanoCore 0x694b9:$b: ClientPlugin 0x694f6:$b: ClientPlugin 0x69df4:$b: ClientPlugin 0x69e01:$b: ClientPlugin 0x863c8:$b: ClientPlugin 0x5f6e6:$e: KeepAlive 0x69941:$g: LogClientMessage 0x698c1:$i: get_Connected 0x5f7cc:$j: #=q 0x5f7e8:$j: #=q 0x5f804:$j: #=q 0x5f820:$j: #=q 0x5f83c:$j: #=q 0x5f86c:$j: #=q 0x5f89c:$j: #=q 0x5f8b8:$j: #=q 0x5f8d4:$j: #=q
00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d95:$x1: NanoCore.ClientPluginHost 0x5b3b5:$x1: NanoCore.ClientPluginHost 0x10dd2:$x2: IClientNetworkHost 0x5b3f2:$x2: IClientNetworkHost 0x14905:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5ef25:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10afd:$a: NanoCore 0x10b0d:$a: NanoCore 0x10d41:$a: NanoCore 0x10d55:$a: NanoCore 0x10d95:$a: NanoCore 0x5b11d:$a: NanoCore 0x5b12d:$a: NanoCore 0x5b361:$a: NanoCore 0x5b375:$a: NanoCore 0x5b3b5:$a: NanoCore 0x10b5c:$b: ClientPlugin 0x10d5e:$b: ClientPlugin 0x10d9e:$b: ClientPlugin 0x5b17c:$b: ClientPlugin 0x5b37e:$b: ClientPlugin 0x5b3be:$b: ClientPlugin 0x10c83:$c: ProjectData 0x5b2a3:$c: ProjectData 0xe0ba2:$c: ProjectData 0x1168a:$d: DESCrypto 0x5bcaa:$d: DESCrypto
00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8a865:$a: NanoCore 0x8a8be:$a: NanoCore 0x8a8fb:$a: NanoCore 0x8a974:$a: NanoCore 0x9e01f:$a: NanoCore 0x9e034:$a: NanoCore 0x9e069:$a: NanoCore 0xc628a:$a: NanoCore 0xc62a2:$a: NanoCore 0xc62cb:$a: NanoCore 0xdf11b:$a: NanoCore 0xdf130:$a: NanoCore 0xdf165:$a: NanoCore 0x107372:$a: NanoCore 0x10738a:$a: NanoCore 0x1073b3:$a: NanoCore 0x8a8c7:$b: ClientPlugin 0x8a904:$b: ClientPlugin 0x8b202:$b: ClientPlugin 0x8b20f:$b: ClientPlugin 0x9dddb:$b: ClientPlugin
00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10e25:$x1: NanoCore.ClientPluginHost 0x10e62:$x2: IClientNetworkHost 0x14995:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10b8d:$a: NanoCore 0x10b9d:$a: NanoCore 0x10dd1:$a: NanoCore 0x10de5:$a: NanoCore 0x10e25:$a: NanoCore 0x10bec:$b: ClientPlugin 0x10dee:$b: ClientPlugin 0x10e2e:$b: ClientPlugin 0x10d13:$c: ProjectData 0x164e32:$c: ProjectData 0x1171a:$d: DESCrypto 0x190e6:$e: KeepAlive 0x170d4:$g: LogClientMessage 0x132cf:$i: get_Connected 0x11a50:$j: #=q 0x11a80:$j: #=q 0x11a9c:$j: #=q 0x11acc:$j: #=q 0x11ae8:$j: #=q 0x11b04:$j: #=q 0x11b34:$j: #=q
Process Memory Space: Payment confirmation .exe PID: 4540	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6aabd:$x1: NanoCore.ClientPluginHost 0x2efd72:$x1: NanoCore.ClientPluginHost 0x6aafa:$x2: IClientNetworkHost 0x2efdaf:$x2: IClientNetworkHost 0x6e5eb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79671:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x86416:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f38a0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2fe926:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Payment confirmation .exe PID: 4540	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Payment confirmation .exe PID: 4540	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Payment confirmation .exe PID: 4540	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6a78a:$a: NanoCore 0x6a79a:$a: NanoCore 0x6a859:$a: NanoCore 0x6a868:$a: NanoCore 0x6aa69:$a: NanoCore 0x6aa7d:$a: NanoCore 0x6aabd:$a: NanoCore 0x75cdb:$a: NanoCore 0x75ced:$a: NanoCore 0x75d29:$a: NanoCore 0x82a80:$a: NanoCore 0x82a92:$a: NanoCore 0x82ace:$a: NanoCore 0x2efa3f:$a: NanoCore 0x2efa4f:$a: NanoCore 0x2efb0e:$a: NanoCore 0x2efb1d:$a: NanoCore 0x2efd1e:$a: NanoCore 0x2efd32:$a: NanoCore 0x2efd72:$a: NanoCore 0x2faf90:$a: NanoCore
Process Memory Space: Payment confirmation .exe PID: 5116	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x316ba:$x1: NanoCore.ClientPluginHost 0x3496f:$x1: NanoCore.ClientPluginHost 0x4fe57:$x1: NanoCore.ClientPluginHost 0x9e7d7:$x1: NanoCore.ClientPluginHost 0xc8277:$x1: NanoCore.ClientPluginHost 0xd7989:$x1: NanoCore.ClientPluginHost 0x316d4:$x2: IClientNetworkHost 0x349ac:$x2: IClientNetworkHost 0x4fe71:$x2: IClientNetworkHost 0x9e804:$x2: IClientNetworkHost 0xc8291:$x2: IClientNetworkHost 0xd79a3:$x2: IClientNetworkHost 0x3849d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x43523:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Payment confirmation .exe PID: 5116	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Payment confirmation .exe PID: 5116	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15fc0:$a: NanoCore 0x1601b:$a: NanoCore 0x16090:$a: NanoCore 0x31624:$a: NanoCore 0x3167d:$a: NanoCore 0x316ba:$a: NanoCore 0x31733:$a: NanoCore 0x31f68:$a: NanoCore 0x31fbb:$a: NanoCore 0x31ff4:$a: NanoCore 0x32067:$a: NanoCore 0x32bb6:$a: NanoCore 0x3463c:$a: NanoCore 0x3464c:$a: NanoCore 0x3470b:$a: NanoCore 0x3471a:$a: NanoCore 0x3491b:$a: NanoCore 0x3492f:$a: NanoCore 0x3496f:$a: NanoCore 0x3fb8d:$a: NanoCore 0x3fb9f:$a: NanoCore
Click to see the 35 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.Payment confirmation .exe.6800000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.6800000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6804c9f.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.6804c9f.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.Payment confirmation .exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.Payment confirmation .exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.0.Payment confirmation .exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.Payment confirmation .exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.Payment confirmation .exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.Payment confirmation .exe.6800000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.6800000.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6070000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.6070000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6070000.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.Payment confirmation .exe.5390000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.5390000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6074629.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.6074629.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6074629.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.Payment confirmation .exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.Payment confirmation .exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.Payment confirmation .exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Payment confirmation .exe.3ef5c98.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment confirmation .exe.3ef5c98.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Payment confirmation .exe.3ef5c98.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.3ef5c98.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
21.2.Payment confirmation .exe.3e82a86.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x3c845:$x1: NanoCore.ClientPluginHost 0x556df:$x1: NanoCore.ClientPluginHost 0x7d92d:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x3c85f:$x2: IClientNetworkHost 0x5570c:$x2: IClientNetworkHost 0x7d947:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.3e82a86.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x3c845:$x2: NanoCore.ClientPluginHost 0x556df:$x2: NanoCore.ClientPluginHost 0x7d92d:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x3fb82:$s4: PipeCreated 0x567ba:$s4: PipeCreated 0x80c6a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x3c832:$s5: IClientLoggingHost 0x556f9:$s5: IClientLoggingHost 0x7d91a:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.3e82a86.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.Payment confirmation .exe.3e82a86.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x3c804:$a: NanoCore 0x3c81c:$a: NanoCore 0x3c845:$a: NanoCore 0x55695:$a: NanoCore 0x556aa:$a: NanoCore 0x556df:$a: NanoCore 0x7d8ec:$a: NanoCore 0x7d904:$a: NanoCore 0x7d92d:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin
0.2.Payment confirmation .exe.3d0cc08.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment confirmation .exe.3d0cc08.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Payment confirmation .exe.3d0cc08.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.3d0cc08.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
21.2.Payment confirmation .exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.Payment confirmation .exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.Payment confirmation .exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.Payment confirmation .exe.3e878bc.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.3e878bc.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.3e878bc.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.Payment confirmation .exe.3e878bc.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x37a0f:$x1: NanoCore.ClientPluginHost 0x508a9:$x1: NanoCore.ClientPluginHost 0x78af7:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x37a29:$x2: IClientNetworkHost 0x508d6:$x2: IClientNetworkHost 0x78b11:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.3e878bc.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x37a0f:$x2: NanoCore.ClientPluginHost 0x508a9:$x2: NanoCore.ClientPluginHost 0x78af7:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x3ad4c:$s4: PipeCreated 0x51984:$s4: PipeCreated 0x7be34:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x379fc:$s5: IClientLoggingHost 0x508c3:$s5: IClientLoggingHost 0x78ae4:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.3e878bc.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.Payment confirmation .exe.680e8a4.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.680e8a4.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6070000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.6070000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6070000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.Payment confirmation .exe.2e59678.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.2e59678.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.Payment confirmation .exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.Payment confirmation .exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.0.Payment confirmation .exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.Payment confirmation .exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.Payment confirmation .exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x333e6:$x1: NanoCore.ClientPluginHost 0x4c280:$x1: NanoCore.ClientPluginHost 0x744ce:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x33400:$x2: IClientNetworkHost 0x4c2ad:$x2: IClientNetworkHost 0x744e8:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x333e6:$x2: NanoCore.ClientPluginHost 0x4c280:$x2: NanoCore.ClientPluginHost 0x744ce:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x36723:$s4: PipeCreated 0x4d35b:$s4: PipeCreated 0x7780b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x333d3:$s5: IClientLoggingHost 0x4c29a:$s5: IClientLoggingHost 0x744bb:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.2d2f510.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Payment confirmation .exe.2d3e02c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x5a7ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x5a7ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5e31d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x5a515:$a: NanoCore 0x5a525:$a: NanoCore 0x5a759:$a: NanoCore 0x5a76d:$a: NanoCore 0x5a7ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x5a574:$b: ClientPlugin 0x5a776:$b: ClientPlugin 0x5a7b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x5a69b:$c: ProjectData 0xdff9a:$c: ProjectData 0x10a82:$d: DESCrypto 0x5b0a2:$d: DESCrypto
0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x16419a:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q
Click to see the 69 entries

Sigma Overview

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Payment confirmation .exe, ProcessId: 5116, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

System Summary

Sigma detected: Suspicius Add Task From User AppData Temp

Source: Process started

Author: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation .exe" , ParentImage: C:\Users\user\Desktop\Payment confirmation .exe, ParentProcessId: 4540, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp, ProcessId: 4688

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation .exe" , ParentImage: C:\Users\user\Desktop\Payment confirmation .exe, ParentProcessId: 4540, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe, ProcessId: 5776

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation .exe" , ParentImage: C:\Users\user\Desktop\Payment confirmation .exe, ParentProcessId: 4540, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe, ProcessId: 5776

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132875911133208884.5776.DefaultAppDomain.powershell

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2616a878-9933-42e4-9fe0-3b57e29b", "Domain1": "naki.airdns.org", "Domain2": "37.120.210.211", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "faff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Source: Payment confirmation .exe	Virustotal: Detection: 31%			Perma Link
Source: Payment confirmation .exe	ReversingLabs: Detection: 32%

Antivirus detection for URL or domain

Source: 37.120.210.211

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBGUhLU.exe

ReversingLabs: Detection: 32%

Yara detected Nanocore RAT

Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR

Machine Learning detection for sample

Source: Payment confirmation .exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBGUhLU.exe

Joe Sandbox ML: detected

Source: 21.0.Payment confirmation .exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.Payment confirmation .exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.Payment confirmation .exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.Payment confirmation .exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.Payment confirmation .exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.Payment confirmation .exe.6070000.9.unpack	Avira: Label: TR/NanoCore.fadte
Source: 21.0.Payment confirmation .exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: Payment confirmation .exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Payment confirmation .exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 146.70.76.43 ports 56281,1,2,5,6,8

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 37.120.210.211
Source: Malware configuration extractor	URLs: naki.airdns.org

Source: Joe Sandbox View

ASN Name: TENET-1ZA TENET-1ZA

Source: global traffic

TCP traffic: 192.168.2.6:49811 -> 146.70.76.43:56281

Source: Payment confirmation .exe, 00000000.00000003.357486991.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357630236.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357683121.0000000005CDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356117157.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356378144.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356305451.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Payment confirmation .exe, 00000000.00000003.357825255.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357302229.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357469019.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357024345.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357977143.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356575956.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356445695.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356700406.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356887648.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357619118.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357149641.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.como
Source: Payment confirmation .exe, 00000000.00000003.356378144.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comug
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment confirmation .exe, 00000000.00000003.367855914.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Payment confirmation .exe, 00000000.00000003.367709317.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html%
Source: Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com3
Source: Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com9
Source: Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comac
Source: Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comc
Source: Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comces
Source: Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comcyK
Source: Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comesH
Source: Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comhly
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comlg
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366744577.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comm
Source: Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comncyI
Source: Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comr-t
Source: Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comso
Source: Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366744577.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366935086.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367218271.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367116516.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366592843.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comt0
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comth
Source: Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366592843.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comva&
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comypo
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Payment confirmation .exe, 00000000.00000003.393018990.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.373895893.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380893532.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374935499.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382778780.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381168425.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment confirmation .exe, 00000000.00000003.380694836.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.393018990.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.393142180.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers%
Source: Payment confirmation .exe, 00000000.00000003.373895893.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374545461.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374384052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment confirmation .exe, 00000000.00000003.382357060.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlH
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment confirmation .exe, 00000000.00000003.382357060.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382554954.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382497875.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmle
Source: Payment confirmation .exe, 00000000.00000003.380972243.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381322016.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381187839.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381501028.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381061897.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380504872.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380770592.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380416970.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment confirmation .exe, 00000000.00000003.383170261.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersB
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment confirmation .exe, 00000000.00000003.383170261.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: Payment confirmation .exe, 00000000.00000003.376830096.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376667085.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersc
Source: Payment confirmation .exe, 00000000.00000003.376137586.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersh
Source: Payment confirmation .exe, 00000000.00000003.376667085.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376137586.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374935499.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers~
Source: Payment confirmation .exe, 00000000.00000002.559399340.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdia
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment confirmation .exe, 00000000.00000003.361861660.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnK
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363185032.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363056742.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnls(
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnmpa
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363185032.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363056742.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.361861660.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnno
Source: Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnrm
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnsof0
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment confirmation .exe, 00000000.00000003.386807451.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.386605316.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.387075190.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.387222007.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.386931372.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmo
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr-c
Source: Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.krmn-u
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment confirmation .exe, 00000000.00000003.386028171.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: Payment confirmation .exe, 00000000.00000003.353514887.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment confirmation .exe, 00000000.00000003.353514887.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comno.
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367781250.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment confirmation .exe, 00000000.00000003.368239598.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.368365048.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.368048501.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367781250.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367855914.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comd
Source: Payment confirmation .exe, 00000000.00000003.360911622.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.361056673.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360528445.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krTF
Source: Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr_
Source: Payment confirmation .exe, 00000000.00000003.360528445.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krs-c
Source: Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362814594.00000000012CC000.00000004.00000020.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment confirmation .exe, 00000000.00000003.362814594.00000000012CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.coms
Source: Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383309388.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383712360.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383422790.0000000005CD7000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383830654.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383630749.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383516270.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deg
Source: Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de~
Source: Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnk
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnls(
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.V

Source: unknown

DNS traffic detected: queries for: naki.airdns.org

Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 21.2.Payment confirmation .exe.6800000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.6804c9f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.6800000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.5390000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.680e8a4.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.2e59678.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment confirmation .exe

Source: Payment confirmation .exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 21.2.Payment confirmation .exe.6800000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6800000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.6804c9f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6804c9f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.6800000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6800000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.5390000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.5390000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.680e8a4.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.680e8a4.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.2e59678.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.2e59678.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_02BB6F80	0_2_02BB6F80
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_02BB6F72	0_2_02BB6F72
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_02BB6D30	0_2_02BB6D30
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_02BB6D22	0_2_02BB6D22
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_05794454	0_2_05794454
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_0579C658	0_2_0579C658
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_05792330	0_2_05792330
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_05790D94	0_2_05790D94
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_05791C18	0_2_05791C18
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_0758DDA8	0_2_0758DDA8
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07582102	0_2_07582102
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07585770	0_2_07585770
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07585508	0_2_07585508
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0119E471	21_2_0119E471
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0119E480	21_2_0119E480
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0119BBD4	21_2_0119BBD4
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_05376550	21_2_05376550
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_05373E30	21_2_05373E30
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0537BED8	21_2_0537BED8
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_05374A50	21_2_05374A50
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0537CAF0	21_2_0537CAF0
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_05374B08	21_2_05374B08
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0537CBAE	21_2_0537CBAE

Source: C:\Users\user\Desktop\Payment confirmation .exe

Process Stats: CPU usage > 98%

Source: Payment confirmation .exe, 00000000.00000002.558685046.0000000000A66000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameObjRefSurroga.exe0 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.567565837.00000000074C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.567891113.0000000007690000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000000.550290214.00000000009E6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameObjRefSurroga.exe0 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe	Binary or memory string: OriginalFilenameObjRefSurroga.exe0 vs Payment confirmation .exe

Source: Payment confirmation .exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: iBGUhLU.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Payment confirmation .exe	Virustotal: Detection: 31%
Source: Payment confirmation .exe	ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\Payment confirmation .exe

File read: C:\Users\user\Desktop\Payment confirmation .exe

Jump to behavior

Source: Payment confirmation .exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment confirmation .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment confirmation .exe "C:\Users\user\Desktop\Payment confirmation .exe"
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe	Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

File created: C:\Users\user\AppData\Roaming\iBGUhLU.exe

Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

File created: C:\Users\user\AppData\Local\Temp\tmp2497.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/9@2/1

Source: C:\Users\user\Desktop\Payment confirmation .exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\Payment confirmation .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_01
Source: C:\Users\user\Desktop\Payment confirmation .exe	Mutant created: \Sessions\1\BaseNamedObjects\NFjYqzvaoo
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_01
Source: C:\Users\user\Desktop\Payment confirmation .exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2616a878-9933-42e4-9fe0-3b57e29bc1f5}

Source: Payment confirmation .exe, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Payment confirmation .exe, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: iBGUhLU.exe.0.dr, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: iBGUhLU.exe.0.dr, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.Payment confirmation .exe.8f0000.9.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.Payment confirmation .exe.8f0000.9.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.Payment confirmation .exe.8f0000.11.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.Payment confirmation .exe.8f0000.11.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment confirmation .exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Payment confirmation .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment confirmation .exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

.NET source code contains potential unpacker

Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: Payment confirmation .exe, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: iBGUhLU.exe.0.dr, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 21.0.Payment confirmation .exe.8f0000.9.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 21.0.Payment confirmation .exe.8f0000.11.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 21.0.Payment confirmation .exe.8f0000.1.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 21.0.Payment confirmation .exe.8f0000.0.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07310C15 push FFFFFF8Bh; iretd	0_2_07310C17
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_065618FC push E802005Eh; retf	21_2_06561901
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_06561912 pushad ; retf	21_2_06561929
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_06561904 push E801035Eh; ret	21_2_06561909

Source: initial sample	Static PE information: section name: .text entropy: 7.86642009336
Source: initial sample	Static PE information: section name: .text entropy: 7.86642009336

Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\Payment confirmation .exe

File created: C:\Users\user\AppData\Roaming\iBGUhLU.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Payment confirmation .exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Payment confirmation .exe

File opened: C:\Users\user\Desktop\Payment confirmation .exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.Payment confirmation .exe.2d2f510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.2d3e02c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 5584	Thread sleep time: -34001s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 5408	Thread sleep time: -62000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 5728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3456	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 1352	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6227	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2358	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Window / User API: threadDelayed 3363	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Window / User API: threadDelayed 5848	Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 34001	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment confirmation .exe

Memory written: C:\Users\user\Desktop\Payment confirmation .exe base: 400000 value starts with: 4D5A

Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe			Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe	Jump to behavior

Source: Payment confirmation .exe, 00000015.00000002.617436294.0000000002E92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\|$,
Source: Payment confirmation .exe, 00000015.00000002.617591812.0000000002FF8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.617574269.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621629051.000000000696E000.00000004.00000010.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.617436294.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621303249.0000000005EAB000.00000004.00000010.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621509072.000000000654E000.00000004.00000010.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621454017.00000000061CD000.00000004.00000010.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621476746.000000000630F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Payment confirmation .exe, 00000015.00000002.617436294.0000000002E92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager(h
Source: Payment confirmation .exe, 00000015.00000002.617436294.0000000002E92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx

Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Users\user\Desktop\Payment confirmation .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Users\user\Desktop\Payment confirmation .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: Payment confirmation .exe, 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	1 Masquerading	11 Input Capture	1 Query Registry	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	11 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	23 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment confirmation .exe	32%	Virustotal		Browse
Payment confirmation .exe	33%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
Payment confirmation .exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\iBGUhLU.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\iBGUhLU.exe	33%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Unpacked PE Files

Source	Detection	Scanner	Label	Download
21.0.Payment confirmation .exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.0.Payment confirmation .exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.0.Payment confirmation .exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.2.Payment confirmation .exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.0.Payment confirmation .exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.2.Payment confirmation .exe.6070000.9.unpack	100%	Avira	TR/NanoCore.fadte	Download File
21.0.Payment confirmation .exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
naki.airdns.org	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.carterandcone.comces	0%	URL Reputation	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.founder.com.cn/cnK	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.goodfont.co.kr-c	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnrm	0%	Avira URL Cloud	safe
37.120.210.211	4%	Virustotal		Browse
37.120.210.211	100%	Avira URL Cloud	malware
naki.airdns.org	0%	Avira URL Cloud	safe
http://www.carterandcone.com3	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.urwpp.de~	0%	Avira URL Cloud	safe
http://www.carterandcone.comt0	0%	Avira URL Cloud	safe
http://www.carterandcone.comypo	0%	URL Reputation	safe
http://www.founder.com.cn/cnno	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.fontbureau.comdia	0%	URL Reputation	safe
http://www.sandoll.co.krs-c	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.sandoll.co.krTF	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.carterandcone.comncyI	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cnls(	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnsof0	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnl	0%	URL Reputation	safe
http://www.carterandcone.com9	0%	URL Reputation	safe
http://fontfabrik.comug	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html%	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.carterandcone.comac	0%	Avira URL Cloud	safe
http://www.sakkal.comd	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://fontfabrik.como	0%	Avira URL Cloud	safe
http://www.goodfont.co.krmn-u	0%	Avira URL Cloud	safe
http://www.carterandcone.comth	0%	Avira URL Cloud	safe
http://www.carterandcone.comcyK	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comno.	0%	Avira URL Cloud	safe
http://www.carterandcone.comc	0%	URL Reputation	safe
http://www.tiro.comslnt	0%	URL Reputation	safe
http://www.tiro.coms	0%	URL Reputation	safe
http://www.zhongyicts.com.cno.V	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnmpa	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htmo	0%	Avira URL Cloud	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.comlg	0%	Avira URL Cloud	safe
http://www.carterandcone.comm	0%	URL Reputation	safe
http://www.sandoll.co.kr_	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.zhongyicts.com.cnk	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.carterandcone.comhly	0%	URL Reputation	safe
http://www.founder.com.cn/cnls(	0%	Avira URL Cloud	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.urwpp.deg	0%	Avira URL Cloud	safe
http://www.carterandcone.comesH	0%	Avira URL Cloud	safe
http://www.carterandcone.comr-t	0%	Avira URL Cloud	safe
http://www.carterandcone.comso	0%	Avira URL Cloud	safe
http://www.carterandcone.comva&	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
naki.airdns.org	146.70.76.43	true	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
37.120.210.211	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
naki.airdns.org	true	Avira URL Cloud: safe	unknown
0,0,343003226,0000000000A68000,00000002,00000001,01000000,00000003,3,D7A61577F9C39F0C	true		low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.carterandcone.comces	Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comn-u	Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnK	Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr-c	Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersB	Payment confirmation .exe, 00000000.00000003.383170261.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362814594.00000000012CC000.00000004.00000020.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnrm	Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	Payment confirmation .exe, 00000000.00000003.393018990.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.373895893.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380893532.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374935499.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382778780.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381168425.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.com3	Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de~	Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.comt0	Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366744577.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366935086.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367218271.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367116516.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366592843.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comypo	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnno	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363185032.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363056742.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.361861660.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Payment confirmation .exe, 00000000.00000003.353514887.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdia	Payment confirmation .exe, 00000000.00000002.559399340.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krs-c	Payment confirmation .exe, 00000000.00000003.360528445.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersh	Payment confirmation .exe, 00000000.00000003.376137586.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krTF	Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356117157.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356378144.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356305451.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comncyI	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cnls(	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cnsof0	Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnl	Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com9	Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.comug	Payment confirmation .exe, 00000000.00000003.356378144.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersc	Payment confirmation .exe, 00000000.00000003.376830096.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376667085.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersb	Payment confirmation .exe, 00000000.00000003.383170261.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html%	Payment confirmation .exe, 00000000.00000003.367709317.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com	Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ascendercorp.com/typedesigners.html	Payment confirmation .exe, 00000000.00000003.367855914.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Payment confirmation .exe, 00000000.00000003.360911622.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.361056673.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360528445.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comac	Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.comd	Payment confirmation .exe, 00000000.00000003.368239598.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.368365048.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.368048501.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367781250.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367855914.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de	Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383309388.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383712360.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383422790.0000000005CD7000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383830654.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383630749.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383516270.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367781250.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.como	Payment confirmation .exe, 00000000.00000003.357825255.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357302229.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357469019.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357024345.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357977143.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356575956.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356445695.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356700406.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356887648.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357619118.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357149641.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.krmn-u	Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comth	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comcyK	Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.comno.	Payment confirmation .exe, 00000000.00000003.353514887.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comc	Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comslnt	Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.coms	Payment confirmation .exe, 00000000.00000003.362814594.00000000012CC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cno.V	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers~	Payment confirmation .exe, 00000000.00000003.376667085.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376137586.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374935499.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnmpa	Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmo	Payment confirmation .exe, 00000000.00000003.386807451.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.386605316.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.387075190.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.387222007.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.386931372.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmle	Payment confirmation .exe, 00000000.00000003.382357060.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382554954.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382497875.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://en.w	Payment confirmation .exe, 00000000.00000003.357486991.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357630236.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357683121.0000000005CDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comlg	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comm	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366744577.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr_	Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coml	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cnk	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Payment confirmation .exe, 00000000.00000003.361861660.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Payment confirmation .exe, 00000000.00000003.380972243.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381322016.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381187839.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381501028.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381061897.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380504872.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380770592.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380416970.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comhly	Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnls(	Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363185032.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363056742.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.	Payment confirmation .exe, 00000000.00000003.386028171.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers%	Payment confirmation .exe, 00000000.00000003.380694836.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.393018990.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.393142180.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deg	Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comesH	Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comr-t	Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	Payment confirmation .exe, 00000000.00000003.373895893.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374545461.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374384052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comso	Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comva&	Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366592843.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/cabarga.htmlH	Payment confirmation .exe, 00000000.00000003.382357060.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
146.70.76.43	naki.airdns.org	United Kingdom		2018	TENET-1ZA	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	559231
Start date:	25.01.2022
Start time:	05:29:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Payment confirmation .exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/9@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 2.2% (good quality ratio 2.1%) Quality average: 78.9% Quality standard deviation: 25.7%
HCA Information:	Successful, ratio: 92% Number of executed functions: 42 Number of non-executed functions: 11
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:30:52	API Interceptor	157x Sleep call for process: Payment confirmation .exe modified
05:31:58	API Interceptor	44x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
146.70.76.43	DHL Documents For Delivery.exe	Get hash	malicious	Browse
	Payment confirmation .exe	Get hash	malicious	Browse
	Payment confirmation .exe	Get hash	malicious	Browse
	Payment confirmation .exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
naki.airdns.org	DHL Documents For Delivery.exe	Get hash	malicious	Browse	146.70.76.43
	Payment confirmation .exe	Get hash	malicious	Browse	146.70.76.43
	Payment confirmation .exe	Get hash	malicious	Browse	146.70.76.43
	Payment confirmation .exe	Get hash	malicious	Browse	146.70.76.43
	Payment confirmation .exe	Get hash	malicious	Browse	37.120.210.211
	Payment confirmation .exe	Get hash	malicious	Browse	194.187.251.163
	dhlDocument .exe	Get hash	malicious	Browse	37.120.210.211
	dhlDocument .exe	Get hash	malicious	Browse	37.120.210.211
	MT103-Advance.Payment..pdf.exe	Get hash	malicious	Browse	213.152.161.249
	dhlDocument .exe	Get hash	malicious	Browse	37.120.210.211

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TENET-1ZA	fB3EW65a8w	Get hash	malicious	Browse	146.239.195.225
	lZCFIfLn6U	Get hash	malicious	Browse	146.70.207.94
	pandora.arm7	Get hash	malicious	Browse	146.237.205.5
	pandora.arm	Get hash	malicious	Browse	146.239.80.80
	DHL Documents For Delivery.exe	Get hash	malicious	Browse	146.70.76.43
	Payment confirmation .exe	Get hash	malicious	Browse	146.70.76.43
	AujjyFfdJL	Get hash	malicious	Browse	196.248.38.27
	z2N2U5dYif	Get hash	malicious	Browse	155.232.26.236
	Payment confirmation .exe	Get hash	malicious	Browse	146.70.76.43
	GCYaWBzazn	Get hash	malicious	Browse	146.239.195.222
	52lN2HSY7O	Get hash	malicious	Browse	155.232.197.139
	hWLlYv2MAX	Get hash	malicious	Browse	152.116.213.254
	CK8BFmrJs3	Get hash	malicious	Browse	155.238.136.197
	Payment confirmation .exe	Get hash	malicious	Browse	146.70.76.43
	b3astmode.x86	Get hash	malicious	Browse	152.106.77.36
	4SiZKGBMOY	Get hash	malicious	Browse	154.114.95.162
	8I4YXRv374	Get hash	malicious	Browse	196.21.55.105
	UgNtYb3T3d	Get hash	malicious	Browse	155.238.0.92
	loligang.arm	Get hash	malicious	Browse	155.240.194.123
	K0FLQjeV3N	Get hash	malicious	Browse	146.230.43.157

Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22308
Entropy (8bit):	5.601222598067954
Encrypted:	false
SSDEEP:	384:ptCDFC0Nr/0968S0nAjultISD7Y9glSJ3xKT1MaXZlbAV7evWLSZBDI+9g:I/YfTACltt3lcICefwy5Vs
MD5:	D08243BF44C39C230E13DE5552CFC229
SHA1:	C05BE7254C2075C784DD4B232BFF0B6EA7B48BBD
SHA-256:	3851DD96A08B0E86AC34F1FCB2D5A24F0A9AC75B9F1462C1072CBB5B8A38A13A
SHA-512:	3801C6FCB595213D3C85E5DE6E0B0B7F6A8E536B02559440FF93986A7B77DA530B583898A5729FEB916BE73C68826C9D79DC92E3FDB744C4F2A2B77D4A2D9388
Malicious:	false
Reputation:	low
Preview:	@...e...................h...a.Y.V.........I..........@..........H...............<@.^.L."My...:X..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bf0tqcoi.ti0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fw12uc5a.y50.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp2497.tmp

Download File

Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1606
Entropy (8bit):	5.116364367259849
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLi7xvn:cgea6YrFdOFzOzN33ODOiDdKrsuT0v
MD5:	9A2AE254726CA1E04F7FD2936BC67727
SHA1:	AC650650400D0E16BB0096603F4FDB882EA30A5C
SHA-256:	8B745FC3F6B96C0FFF0D79A1F2E19CED30436F4D52C5E6948D35D9A6B9CC0A6B
SHA-512:	54C37099355A397324B26FD6C5361DC365F5890267240F5E4D74F8FCA4572A4FBE7980DA3CCC15A86D1AAC0F35DEE515C5B59D72B1970185843ABC523796C5D1
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:D+8tn:a8tn
MD5:	94BD220310AF83D117DA8CA8A3BBCA0B
SHA1:	DCFE8F5B801F13E2D95BC41546A55A75A3EAEB10
SHA-256:	4D8124FCE210AED26231BA07B7540B0AD6ED3F43A27B3A2C92DF26C7FBE0AF74
SHA-512:	F2BCDFC397913F3C1A3CC16419AC2F8B57660B2FC28225600B2C4CEB961F6C2C23AACBBC56248EE65CA436D1891233BA453A59183FB82F76C71BCA48AFEF753C
Malicious:	true
Preview:	.kK....H

C:\Users\user\AppData\Roaming\iBGUhLU.exe

Download File

Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	993280
Entropy (8bit):	7.851238509161969
Encrypted:	false
SSDEEP:	24576:1MJS/fy8oTImIQoM46ayaad63/85GFnhZ5AVU7wsh6I:1MQ/fYJIvmFEZCUxh6I
MD5:	0D98108AA5A3383C2C3152CF2CD5AE9A
SHA1:	E08D7BA0BF0AC4F93D17E71D27A82DFB22058626
SHA-256:	796F57DA16FA76BD10AFB6A16F9F75B78673F47556CE4D93D93EC34B5D898F61
SHA-512:	8018995A3768CA9C91C4837E82167BB386ADBBE7A06054034A10A21AA07C1D2BFD4D62A58CED067AFC232B4A91CCB8E9988FF70F9A4B2A44553030D7D88966A0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l?.a............................>(... ...@....@.. ....................................@..................................'..K....`.. ............................................................................ ............... ..H............text...D.... ...................... ..`.sdata.......@......................@....rsrc... ....`......................@..@.reloc...............&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\iBGUhLU.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20220125\PowerShell_transcript.928100.EGNDur5V.20220125053156.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5807
Entropy (8bit):	5.378693775721289
Encrypted:	false
SSDEEP:	96:BZkTLGN7qDo1ZOZFTLGN7qDo1ZPrpDjZsTLGN7qDo1ZOWTTQZ3:m
MD5:	EED916291A2BFA3A57D4F776CD15D542
SHA1:	290FE8AB5F6D45987BBC4F488990B236CE80ECEA
SHA-256:	9D914FC076BB34E47CA55D9920B38C72BD785D25971B2CD430E5F276C450BB08
SHA-512:	B0102F73A0C9E73B58F65360450C0ED327432E54B1FCB7E341F7C36DB8E9F219EE6A8759E3CBFA8D156634EB9F9A0F583282DBB0885E0D9AA14DD37702D517F1
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220125053158..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iBGUhLU.exe..Process ID: 5776..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220125053158..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iBGUhLU.exe..********************..Windows PowerShell transcript start..Start time: 20220125053539..Username: computer\user..RunAs User: DESKTOP-716

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.851238509161969
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	Payment confirmation .exe
File size:	993280
MD5:	0d98108aa5a3383c2c3152cf2cd5ae9a
SHA1:	e08d7ba0bf0ac4f93d17e71d27a82dfb22058626
SHA256:	796f57da16fa76bd10afb6a16f9f75b78673f47556ce4d93d93ec34b5d898f61
SHA512:	8018995a3768ca9c91c4837e82167bb386adbbe7a06054034a10a21aa07c1d2bfd4d62a58ced067afc232b4a91ccb8e9988ff70f9a4b2a44553030d7d88966a0
SSDEEP:	24576:1MJS/fy8oTImIQoM46ayaad63/85GFnhZ5AVU7wsh6I:1MQ/fYJIvmFEZCUxh6I
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l?.a............................>(... ...@....@.. ....................................@................................

File Icon


Icon Hash:	192d555d6d45650b

Static PE Info

General

Entrypoint:	0x4f283e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61EF3F6C [Tue Jan 25 00:08:12 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf27f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf6000	0x1520	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf0844	0xf0a00	False	0.917583198052	data	7.86642009336	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0xf4000	0x1e8	0x200	False	0.861328125	data	6.61807085145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xf6000	0x1520	0x1600	False	0.273970170455	data	3.59842284173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf8000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xf6130	0xea8	data
RT_GROUP_ICON	0xf6fd8	0x14	data
RT_VERSION	0xf6fec	0x348	data
RT_MANIFEST	0xf7334	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Microsoft 2010
Assembly Version	1.0.0.0
InternalName	ObjRefSurroga.exe
FileVersion	1.0.0.0
CompanyName	Microsoft
LegalTrademarks
Comments
ProductName	CSMDown
ProductVersion	1.0.0.0
FileDescription	CSMDown
OriginalFilename	ObjRefSurroga.exe

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2022 05:32:17.356909037 CET	49811	56281	192.168.2.6	146.70.76.43
Jan 25, 2022 05:32:20.364269972 CET	49811	56281	192.168.2.6	146.70.76.43
Jan 25, 2022 05:32:26.380498886 CET	49811	56281	192.168.2.6	146.70.76.43
Jan 25, 2022 05:32:34.445142031 CET	49838	56281	192.168.2.6	146.70.76.43
Jan 25, 2022 05:32:37.443854094 CET	49838	56281	192.168.2.6	146.70.76.43

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2022 05:32:17.074172974 CET	50010	53	192.168.2.6	8.8.8.8
Jan 25, 2022 05:32:17.347052097 CET	53	50010	8.8.8.8	192.168.2.6
Jan 25, 2022 05:32:34.326653957 CET	62116	53	192.168.2.6	8.8.8.8
Jan 25, 2022 05:32:34.432260036 CET	53	62116	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 25, 2022 05:32:17.074172974 CET	192.168.2.6	8.8.8.8	0x6641	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 25, 2022 05:32:34.326653957 CET	192.168.2.6	8.8.8.8	0x5d8	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 25, 2022 05:32:17.347052097 CET	8.8.8.8	192.168.2.6	0x6641	No error (0)	naki.airdns.org		146.70.76.43	A (IP address)	IN (0x0001)
Jan 25, 2022 05:32:34.432260036 CET	8.8.8.8	192.168.2.6	0x5d8	No error (0)	naki.airdns.org		146.70.76.43	A (IP address)	IN (0x0001)

Start time:	05:30:23
Start date:	25/01/2022
Path:	C:\Users\user\Desktop\Payment confirmation .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment confirmation .exe"
Imagebase:	0x970000
File size:	993280 bytes
MD5 hash:	0D98108AA5A3383C2C3152CF2CD5AE9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Start time:	05:31:53
Start date:	25/01/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Start time:	05:31:54
Start date:	25/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Start time:	05:31:58
Start date:	25/01/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp
Imagebase:	0x12c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Start time:	05:31:59
Start date:	25/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Start time:	05:31:59
Start date:	25/01/2022
Path:	C:\Users\user\Desktop\Payment confirmation .exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Payment confirmation .exe
Imagebase:	0x8f0000
File size:	993280 bytes
MD5 hash:	0D98108AA5A3383C2C3152CF2CD5AE9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	56
Total number of Limit Nodes:	6

Executed Functions

Function 07582102 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.567660291.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7580000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc39ea319f7d26b7e14237f1741b459bb128e93c97a3b987898432bfce4da634
Instruction ID: 0721845a234352bab0ea88dda67e827ca0cf74cb1ec9a561a224315064c9a6bd
Opcode Fuzzy Hash: cc39ea319f7d26b7e14237f1741b459bb128e93c97a3b987898432bfce4da634
Instruction Fuzzy Hash: 2952FB74A002188FCB64DF64C9A5ADDBBB6BF89304F1085D9D909AB395CF34AE81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0758DDA8 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.567660291.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7580000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4dde3edf84d8c6a9ce2d94428f2f04005e83f591371172b64ce7cc623deb38
Instruction ID: 6d73647c00756732c7a48aacbd1e675be008989eaf845898c398e55868a13824
Opcode Fuzzy Hash: db4dde3edf84d8c6a9ce2d94428f2f04005e83f591371172b64ce7cc623deb38
Instruction Fuzzy Hash: B271EFB0E15319CBDB94EFA9C4447EDFAF1BB4A304F10A42AC419B7285DB389885CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0758D130 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0758D366

Memory Dump Source

Source File: 00000000.00000002.567660291.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7580000_Payment confirmation .jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3c079252e9933529017f4db8a5ee31f233ad2e38d69b0aa09217696e7785ded3
Instruction ID: 8b29214b4b50294ce6c65e5d0313af7d8de3eea68d7e600b59d4f6c83182a68a
Opcode Fuzzy Hash: 3c079252e9933529017f4db8a5ee31f233ad2e38d69b0aa09217696e7785ded3
Instruction Fuzzy Hash: EF915CB1E00319CFDB50EFA4C840BDDBAF6BB48314F1485AAD849B7290DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02BB556C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02BB5629

Memory Dump Source

Source File: 00000000.00000002.559578267.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bb0000_Payment confirmation .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1747c1ad12e29ca65f4efa2ff62b3d1f8c330fdb5ec68c1e9d02deafe4ef8c6d
Instruction ID: 6c012df6d28153f42cb05dc086e2e167e79fa02aef94feccb8626afc4c44744d
Opcode Fuzzy Hash: 1747c1ad12e29ca65f4efa2ff62b3d1f8c330fdb5ec68c1e9d02deafe4ef8c6d
Instruction Fuzzy Hash: AF410271C0021CCBDF20DFA9C8847DEBBB5BF48308F60846AD409AB251DBB16946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02BB416C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02BB5629

Memory Dump Source

Source File: 00000000.00000002.559578267.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bb0000_Payment confirmation .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4fda8759945620a0b017433a6c6968f2b0c467bbc82ae818fbe6aa7cc0a56699
Instruction ID: a85f86acc2438308568f4a18e87f508aff41218352fbeea1a0f599d6305ae7af
Opcode Fuzzy Hash: 4fda8759945620a0b017433a6c6968f2b0c467bbc82ae818fbe6aa7cc0a56699
Instruction Fuzzy Hash: D541E271C0061CCBDB25DFA9C884BDEBBB5BF48308F60846AD409AB251DBB16946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0758CEA8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0758CF38

Memory Dump Source

Source File: 00000000.00000002.567660291.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7580000_Payment confirmation .jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a5bbfa1d417eeb21b8bd856a7fcb2997f3ef6ee80d2775caf723515e68e8fb6b
Instruction ID: 19b616511fa88aa03218b41e57c0f4080f95e2ec62f4d72a44d03d06f6a78a24
Opcode Fuzzy Hash: a5bbfa1d417eeb21b8bd856a7fcb2997f3ef6ee80d2775caf723515e68e8fb6b
Instruction Fuzzy Hash: 642127B19003099FDF10DFA9C8847DEBBF5FF48314F10882AE919A7240D778A955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0758CD10 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetThreadContext.KERNELBASE(?,00000000), ref: 0758CD8E

Memory Dump Source

Source File: 00000000.00000002.567660291.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7580000_Payment confirmation .jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 63a19439cb91f074e2d7692808932adeb0a6cbe7f7843812f4c462d15e994a95
Instruction ID: 7b087ca51f3c8f2b1ba5a8e65bac38e56e2106253b0d178685ac51e946f30192
Opcode Fuzzy Hash: 63a19439cb91f074e2d7692808932adeb0a6cbe7f7843812f4c462d15e994a95
Instruction Fuzzy Hash: D8211AB19002099FDB50DFA9C4847EEBBF4AF48214F14842AD519B7641DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0758CF98 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0758D018

Memory Dump Source

Source File: 00000000.00000002.567660291.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7580000_Payment confirmation .jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 10d8e8d088d701e35ed01706a5f102679dd968f8411f7256516f3fe28bdd838c
Instruction ID: 0e4b0cda2a0148fe4fd51888a41060787a898335cf65e5175e29a1a3b4dc807a
Opcode Fuzzy Hash: 10d8e8d088d701e35ed01706a5f102679dd968f8411f7256516f3fe28bdd838c
Instruction Fuzzy Hash: BB2139B19003099FCF10DFAAC8806EEBBF5FF48314F50882AE518A7240D779A951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BBE0D8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BBF3A9,00000800,00000000,00000000), ref: 02BBF5BA

Memory Dump Source

Source File: 00000000.00000002.559578267.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bb0000_Payment confirmation .jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b7112572c50705b5290023ded795327836c8086cc85c6e4a33e8eb7dc6145aae
Instruction ID: 28ac8a4129ee002d20b93df00202a6513e7439bbad7a331bb8c1bed347a0f70c
Opcode Fuzzy Hash: b7112572c50705b5290023ded795327836c8086cc85c6e4a33e8eb7dc6145aae
Instruction Fuzzy Hash: 9E1106B69002098FCB10CF9AC844BEEBBF4EF48324F14846EE415B7601C7B5A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0758CDE8 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0758CE56

Memory Dump Source

Source File: 00000000.00000002.567660291.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7580000_Payment confirmation .jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5a8243cdc51b89acf1d5558bf2e61f0b4a4618fadd9ce64f5b9f1b89ae2da69b
Instruction ID: 0930ec10c2c33625322104e75af035a60bdb5987a55792f26ab120ca5a96f5e3
Opcode Fuzzy Hash: 5a8243cdc51b89acf1d5558bf2e61f0b4a4618fadd9ce64f5b9f1b89ae2da69b
Instruction Fuzzy Hash: 6E1137719002499FCF11DFA9C844BDFBBF9AF88324F14882AE529B7650C775A950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0758CC60 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 0758CCC2

Memory Dump Source

Source File: 00000000.00000002.567660291.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7580000_Payment confirmation .jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 90ec97ead8934a330a091c3bb442151c30c8ce6b51f3bf06986b511ad44e4f97
Instruction ID: 93abce8a59c969ac5cb50e23462248eaba83d6a0ee424d7b6897b892d1fe95fd
Opcode Fuzzy Hash: 90ec97ead8934a330a091c3bb442151c30c8ce6b51f3bf06986b511ad44e4f97
Instruction Fuzzy Hash: AA110DB19002498FDB10DFAAD4457EFFBF9AB88224F14882AD515B7740C7756544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BBEEC8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02BBEF2E

Memory Dump Source

Source File: 00000000.00000002.559578267.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bb0000_Payment confirmation .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4fd9f2f229c34d9ab395f2522385674c40e27c78622acdb181586c12a0d8d77b
Instruction ID: 5d0c02a6782411abbd896573e4c007fa484b85aa2652d305ab873571711547dd
Opcode Fuzzy Hash: 4fd9f2f229c34d9ab395f2522385674c40e27c78622acdb181586c12a0d8d77b
Instruction Fuzzy Hash: CD11E3B5D006498FDB10CF9AC444BDEFBF4EF88228F14846AD419B7610C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0579E7A1 Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0579E805

Memory Dump Source

Source File: 00000000.00000002.567008688.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Payment confirmation .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8989a963e73e51735753f84afb6cd3acb62f51e06a5ba7a78e0157fb2dd911e1
Instruction ID: be7a579e7538f742f1ce8dacafedb160dfb0edd9a1030a7f7ddc7b45d7c3acde
Opcode Fuzzy Hash: 8989a963e73e51735753f84afb6cd3acb62f51e06a5ba7a78e0157fb2dd911e1
Instruction Fuzzy Hash: E31136B5800649CFDB10CF99D884BDFBBF8FB88324F10841AD815A3600C3756554CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0579E7A8 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0579E805

Memory Dump Source

Source File: 00000000.00000002.567008688.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Payment confirmation .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fa0b906b5f521ce17d6a31b74ccad1e307c8e49584af87cda6efc31508d79853
Instruction ID: 80c80bc9f38b8be82508b69a8f7f7a6ab003195f99b90d8f93acd14c5416887a
Opcode Fuzzy Hash: fa0b906b5f521ce17d6a31b74ccad1e307c8e49584af87cda6efc31508d79853
Instruction Fuzzy Hash: 4D11D3B58002499FDB10DF99D885BDEBBF8FB48324F14841AD955A7600C375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0731035A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.567461057.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7310000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545601ad5bb75c3dfba60b33b35356bbe57fd520fab9549bc1be298651c56d07
Instruction ID: d3bbabfb936045fc35579041cb5cb45fb8f290436f2af55ccc5af63d38807255
Opcode Fuzzy Hash: 545601ad5bb75c3dfba60b33b35356bbe57fd520fab9549bc1be298651c56d07
Instruction Fuzzy Hash: 993106B4D05229CFDB08CFA5D5483FEBBF4AB0A305F0084AAE458A3291D7794685CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07310368 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.567461057.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7310000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c2b99472fa42460952a1b93031a193104d92d88fd9d0bd32cae936fd38951f
Instruction ID: 2f12631f1f972967b8c3c5294603a93aab7cd42c17abf2ed98b38a207ec13258
Opcode Fuzzy Hash: 33c2b99472fa42460952a1b93031a193104d92d88fd9d0bd32cae936fd38951f
Instruction Fuzzy Hash: E721E3B0C05229CFEB08CFA9D5487FEBBF4BB0A305F10846AD419B2290D7784684CF95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02BB6F80 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

N, xrefs: 02BB9AF6

Memory Dump Source

Source File: 00000000.00000002.559578267.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bb0000_Payment confirmation .jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 6ec109d60f690932be1c7abeb41507ed4709b45731211d5f0948de588ade7c4d
Instruction ID: 4a40bdea440240a635db9ae578f8140ee9c95cb6290aefbce8dbb628d387387e
Opcode Fuzzy Hash: 6ec109d60f690932be1c7abeb41507ed4709b45731211d5f0948de588ade7c4d
Instruction Fuzzy Hash: D4515D71D016598BEB29CF6B8C4479AFAF3AFC9344F18C1FA881CAA255DB7045858F50

Uniqueness

Uniqueness Score: -1.00%

Function 05792330 Relevance: .9, Instructions: 914COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.567008688.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53fce197fd3f83c92941970e9d7feb55890d5c9a5a066ce7b462983085863b16
Instruction ID: 624f55d0da680ca542210b655b5af5b5db8d7ce482b76c65eeb00a2e8bd7dd93
Opcode Fuzzy Hash: 53fce197fd3f83c92941970e9d7feb55890d5c9a5a066ce7b462983085863b16
Instruction Fuzzy Hash: 29724B38E00219DFCF14EFA8D884AADBBB2FF44310F158599D849AB256D730AD91DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0579C658 Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.567008688.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc5387e080d68113496be465a09de9da1dc4364a8ff92e81b3e62d6612bef40
Instruction ID: 0b5919afeee559d4014b455c7545d4300ae59ca2874359575f374e4320fcb0a4
Opcode Fuzzy Hash: 3fc5387e080d68113496be465a09de9da1dc4364a8ff92e81b3e62d6612bef40
Instruction Fuzzy Hash: 63529475B001159FCF19DF68D4989ADBBBAFF89354B158069E806DB3A0DB30EC01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05794454 Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.567008688.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1d9ff2aace838feb310267bb97dd36274111bc73cabe80481be0a032c2e8af
Instruction ID: 0016bc5731691f3c5edf90afdbf75af5dd92f0e1bbafb5b2d854b968f86dc1ad
Opcode Fuzzy Hash: 5d1d9ff2aace838feb310267bb97dd36274111bc73cabe80481be0a032c2e8af
Instruction Fuzzy Hash: F7721770A10219CFCB15EB64C988AECB7B2BF95300F5586E9D5497B210EBB1ADC6CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05790D94 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.567008688.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab3793913e9110cfeff72f8b5300ac8dd23c8e3bbabd0dd2fc21a18ea5b7e40
Instruction ID: 4e476cb7ada135c00fa6e8098f5bf2f62910a3fdfa3b14144b3a488cd84c072c
Opcode Fuzzy Hash: 1ab3793913e9110cfeff72f8b5300ac8dd23c8e3bbabd0dd2fc21a18ea5b7e40
Instruction Fuzzy Hash: 63323830E10619CFDF19EF75D848AACB7B2BF85304F5685E9D4096B221EB31A985CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05791C18 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.567008688.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f98828353bae06d8f872ebd497b54056b274343aad7225584b921bcdaaf6dc4
Instruction ID: b3202a087554a05c539850dd64de45e49f09fa5eb064b0a21744699248ba7146
Opcode Fuzzy Hash: 0f98828353bae06d8f872ebd497b54056b274343aad7225584b921bcdaaf6dc4
Instruction Fuzzy Hash: 97227C34A00219CFCB14DF68D884AADBBB2FF85314F518599E909AB365DB30ED95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07585508 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.567660291.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7580000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00edaf9e0b224c5d86df05dc45e9d139240fa9747867a5fc0a2202899cfae0b
Instruction ID: 45ff99d876bd1aecb99cede73f13673237868c7f820e7a6983d8b8e2dc289d9d
Opcode Fuzzy Hash: a00edaf9e0b224c5d86df05dc45e9d139240fa9747867a5fc0a2202899cfae0b
Instruction Fuzzy Hash: 20517270A01609CFDB44EFB9E8816DDBBF2AF85304F00C829D1449B368EB755D05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02BB6D22 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.559578267.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bb0000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa321cf702055179a0325400619771c389035e307455c478c18e6092e10ec36f
Instruction ID: c8dfcfbb6df3bce01528d7f9a9278ae5cd00dbdf54df220c5de00f005971f8ad
Opcode Fuzzy Hash: fa321cf702055179a0325400619771c389035e307455c478c18e6092e10ec36f
Instruction Fuzzy Hash: C8518174D006088FD745EFF9E84568EBBF2AF86308F10C929D114AB378DBB569069F52

Uniqueness

Uniqueness Score: -1.00%

Function 02BB6D30 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.559578267.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bb0000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985df1a6caf01346facf2ad5337237fb8465a436fb7ba4dd1acf026cfc703041
Instruction ID: 2c0a80751024829c444314d653f148e7e7c102644bb7e01e5275b38604948390
Opcode Fuzzy Hash: 985df1a6caf01346facf2ad5337237fb8465a436fb7ba4dd1acf026cfc703041
Instruction Fuzzy Hash: 4B517E74D006088FD745EFB9E84568EBBF2AF86308F10C929D114AB378DBB669059F52

Uniqueness

Uniqueness Score: -1.00%

Function 02BB6F72 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.559578267.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bb0000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3e0c86e9f92ac9ee555475f5ed3a196802eee80333f0e11234e8edbae494c9
Instruction ID: fd49835c31b5f7e87d6581c46ab8ffc0227fb4aef77ad6655b1d2ed7de94d234
Opcode Fuzzy Hash: bc3e0c86e9f92ac9ee555475f5ed3a196802eee80333f0e11234e8edbae494c9
Instruction Fuzzy Hash: 54516C71D056598BEB19CF6B8C446DEFAF3AFC5304F18C1FA891CAA255DB7049428F11

Uniqueness

Uniqueness Score: -1.00%

Function 07585770 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.567660291.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7580000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8293ca240d6d7b2b1c276e5f7b5fde3a554a31c46016c7f3054c0490db50e4
Instruction ID: 24a7bd9be2b88ba622005ba1b4b4228b1e2b5284da954fc17baf576b36896345
Opcode Fuzzy Hash: db8293ca240d6d7b2b1c276e5f7b5fde3a554a31c46016c7f3054c0490db50e4
Instruction Fuzzy Hash: BB4142B1E016188BEB6CCF6B8D4079EFAF7BFC9200F14D5BA990CA6255EB3049458F15

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Payment confirmation .exePID: 5116, Parent PID: 4540COMMON

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	243
Total number of Limit Nodes:	13

Executed Functions

Function 0119B6C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0119B730
GetCurrentThread.KERNEL32 ref: 0119B76D
GetCurrentProcess.KERNEL32 ref: 0119B7AA
GetCurrentThreadId.KERNEL32 ref: 0119B803

Memory Dump Source

Source File: 00000015.00000002.614826148.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1190000_Payment confirmation .jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d39189052fe6e1330b026a968abefb95830742fc3bdd7dddd7eba6c07b1ecbcf
Instruction ID: 600b18412dedd02a31831a68d4506db5d22b6ecf85d634616d76b830ff322c60
Opcode Fuzzy Hash: d39189052fe6e1330b026a968abefb95830742fc3bdd7dddd7eba6c07b1ecbcf
Instruction Fuzzy Hash: 5F5165B09046488FDB18CFA9D688BDEBBF0BF49314F24895AE059B7391C7745844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0119B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0119B730
GetCurrentThread.KERNEL32 ref: 0119B76D
GetCurrentProcess.KERNEL32 ref: 0119B7AA
GetCurrentThreadId.KERNEL32 ref: 0119B803

Memory Dump Source

Source File: 00000015.00000002.614826148.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1190000_Payment confirmation .jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: eeb48d40ec8e3a8dd16e9c06ef10086ed1a583253e253d862b1fb6cb75dec746
Instruction ID: 4e82f560c30c4175e6a83d6d6ce038f28a3d73ed01480a1f9c004bd8027d3fbc
Opcode Fuzzy Hash: eeb48d40ec8e3a8dd16e9c06ef10086ed1a583253e253d862b1fb6cb75dec746
Instruction Fuzzy Hash: 5C5164B0D006088FDB18CFA9D688BDEBBF1AB88314F24895AE459B7390C7755844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 011993E8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0119962E

Strings

HR, xrefs: 0119958B
HR, xrefs: 01199566

Memory Dump Source

Source File: 00000015.00000002.614826148.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1190000_Payment confirmation .jbxd

Similarity

API ID: HandleModule
String ID: HR$HR
API String ID: 4139908857-4037001784
Opcode ID: 1c3d32de3f6bb6e1451a994363faa1694fd11ae703599626220ee73b6a39423e
Instruction ID: b71406dc4a353a5831da3f95cda6cd1aa3979ae49ac566d76c45f14a6725d9da
Opcode Fuzzy Hash: 1c3d32de3f6bb6e1451a994363faa1694fd11ae703599626220ee73b6a39423e
Instruction Fuzzy Hash: 907147B0A00B098FDB29DF69D54179ABBF1BF88218F00892ED45AD7B50D735E846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0119FAA0 Relevance: 1.8, APIs: 1, Instructions: 255COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0119FD0A

Memory Dump Source

Source File: 00000015.00000002.614826148.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1190000_Payment confirmation .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 362daab0e6430e076ee38e5e75aaefa4b382a32cb88cd1e33fe3929bf02f6e99
Instruction ID: d0e2928ed9321588bb62b30abe84af640d1a08983840484af9b5f6ce152336d7
Opcode Fuzzy Hash: 362daab0e6430e076ee38e5e75aaefa4b382a32cb88cd1e33fe3929bf02f6e99
Instruction Fuzzy Hash: 84917D718093899FDF06CFA4C8909DDBFB1FF0A314F19819AE854AB262C3359856CF61

Uniqueness

Uniqueness Score: -1.00%

Function 065635B0 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.621533111.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_6560000_Payment confirmation .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ffc6f332e33bc7ea6bf749fec607a856251a5265602aafa5d43f5c12da665e8
Instruction ID: 7a6104fe554e9f0062bcb98951248e46999935f9fe7b69b828b24ab6ef123287
Opcode Fuzzy Hash: 2ffc6f332e33bc7ea6bf749fec607a856251a5265602aafa5d43f5c12da665e8
Instruction Fuzzy Hash: 368147B1D04249CFDB10DFAAC8806DEBBB5FF49314F24852AE815AB250DB71A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05371A4C Relevance: 1.7, APIs: 1, Instructions: 185registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(00000000,05375F31,00020119,00000000,00000000,?), ref: 053762FF

Memory Dump Source

Source File: 00000015.00000002.620819364.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5370000_Payment confirmation .jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b0d2908686068f3e9c2bd97c73c9023e5c18e88ec8ae8af1e9a795dd2117760a
Instruction ID: c7fa01057bb837c84322bd3361f3d2efbc5388182a8792dcef7cd80fe5465804
Opcode Fuzzy Hash: b0d2908686068f3e9c2bd97c73c9023e5c18e88ec8ae8af1e9a795dd2117760a
Instruction Fuzzy Hash: A5715870D0460C9FDB24DFA9C895BAEBBB1FF48314F148429E815AB391DB789881CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05376137 Relevance: 1.7, APIs: 1, Instructions: 180registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(00000000,05375F31,00020119,00000000,00000000,?), ref: 053762FF

Memory Dump Source

Source File: 00000015.00000002.620819364.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5370000_Payment confirmation .jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e49c7dcd6682840cce7e1a169b440b81b57e8e0b4e8dd2357a540352bd832ead
Instruction ID: 6042d2d0f7cc3bf7bdfefc6c052e5ec5ae5f85aec0dd5ddd40d25a28963ac8c7
Opcode Fuzzy Hash: e49c7dcd6682840cce7e1a169b440b81b57e8e0b4e8dd2357a540352bd832ead
Instruction Fuzzy Hash: F87149B0D0461D9FDB24DFA8C895B9EBBB1FF48314F148429E815AB291DB789881CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0656365D Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06563790

Memory Dump Source

Source File: 00000015.00000002.621533111.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_6560000_Payment confirmation .jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 7a16f1b5514f8d0c1c5abe5e0c9a0f0e94ba69b9b33bfae828ef570d275b9ce4
Instruction ID: 3c4e0e1ce48c4700e7c8e51601b7da59dbfa00bd3add38e80b79762e85d60cd9
Opcode Fuzzy Hash: 7a16f1b5514f8d0c1c5abe5e0c9a0f0e94ba69b9b33bfae828ef570d275b9ce4
Instruction Fuzzy Hash: 8B5135B1D00259DFDF10CFA9C8846DEBBB5FF48314F24852AE815AB250DB74A986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06561C8C Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06563790

Memory Dump Source

Source File: 00000015.00000002.621533111.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_6560000_Payment confirmation .jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: a823f8193d3ace5a75c01d14ff734b50c282bdbf52f83476e1866707bb77cbff
Instruction ID: 1fbc14d2baf51e8477f9cb408e7ea8bf114ad0cb23189a7e13fb5a799b970bda
Opcode Fuzzy Hash: a823f8193d3ace5a75c01d14ff734b50c282bdbf52f83476e1866707bb77cbff
Instruction Fuzzy Hash: 5C5114B1D00218DFDF10CFA9C8846DEBBB5FF48314F24852AE815AB250DB74A986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0119FBF8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0119FD0A

Memory Dump Source

Source File: 00000015.00000002.614826148.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1190000_Payment confirmation .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 122050c3c9ea8499dff20b4d558970fb62dc846fc1513f5cd607d41863a13704
Instruction ID: 3dcf784d62941a602e692c0cf17ece67344c16c2755e5b75f3139e093b3ca7e4
Opcode Fuzzy Hash: 122050c3c9ea8499dff20b4d558970fb62dc846fc1513f5cd607d41863a13704
Instruction Fuzzy Hash: 3841B0B1D00309AFDF14CF99D884ADEBFB5BF88314F24812AE819AB250D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05375FBC Relevance: 1.6, APIs: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 053760AF

Memory Dump Source

Source File: 00000015.00000002.620819364.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5370000_Payment confirmation .jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4ae7dd933a205f9c017922bc92468a76145fcae8ba8dde932dbf92dddd52b1e1
Instruction ID: 9e3b2390b144ebca38b8c8e31c9f7d397c4f124fee0302e8c6a87feb0eaf3fd7
Opcode Fuzzy Hash: 4ae7dd933a205f9c017922bc92468a76145fcae8ba8dde932dbf92dddd52b1e1
Instruction Fuzzy Hash: 574146B0D1475C9FCB20CFA9C895B9DBFB5BB48314F14852AE819A7340DBB99841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05371A40 Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 053760AF

Memory Dump Source

Source File: 00000015.00000002.620819364.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5370000_Payment confirmation .jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5f16ec23a640bacd69f8a88650ab7dddca1ed6089d68c2d5fd13ea19259b3205
Instruction ID: 7fb1ff7018895ee7befbce5327549c6c5a5bd603f745dfa4ad2e0503af7bd38d
Opcode Fuzzy Hash: 5f16ec23a640bacd69f8a88650ab7dddca1ed6089d68c2d5fd13ea19259b3205
Instruction Fuzzy Hash: 1B4135B0D0475CDFCB20CF99C895B9EBFF5BB48314F14852AE819AB240DBB99841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05377B9C Relevance: 1.6, APIs: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?), ref: 05377C7C

Memory Dump Source

Source File: 00000015.00000002.620819364.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5370000_Payment confirmation .jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 22c8f2b4c74104f55da91fcdfbc6622f541995f1cf56ed3129937eccf829e99e
Instruction ID: db5489e88566fcd4480b621f850dbed3a21324590d2f58f1b5b0cf848546b9d4
Opcode Fuzzy Hash: 22c8f2b4c74104f55da91fcdfbc6622f541995f1cf56ed3129937eccf829e99e
Instruction Fuzzy Hash: 794127B0D1025D8FDB20CFA9C88579EBBF5FF48714F148529E815A7280DBB89881CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05377BA8 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?), ref: 05377C7C

Memory Dump Source

Source File: 00000015.00000002.620819364.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5370000_Payment confirmation .jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: df1be1e3369ea94dc425ccf5acd4cf3384434c3372f14de8cbff69e6ad1b967c
Instruction ID: 04e35a91bb5a8782646eab4c14aea180078f353f305323d39d566bd6200e5739
Opcode Fuzzy Hash: df1be1e3369ea94dc425ccf5acd4cf3384434c3372f14de8cbff69e6ad1b967c
Instruction Fuzzy Hash: E83117B0D1465D8FDB20CFA9C88579EBBF5FB48714F148529E815A7280D7B89881CF91

Uniqueness

Uniqueness Score: -1.00%

Function 053704C8 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0537049D

Memory Dump Source

Source File: 00000015.00000002.620819364.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5370000_Payment confirmation .jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 40b772acd60d9cd3eb58df6fc5dff3d3500cfee3b3bc011ef4d67cf612913ee7
Instruction ID: bc4d83d4affceacd029043e2640da7ec67a45dd44d21297fa8f3a899fe7a18dc
Opcode Fuzzy Hash: 40b772acd60d9cd3eb58df6fc5dff3d3500cfee3b3bc011ef4d67cf612913ee7
Instruction Fuzzy Hash: 92316B74E08248CFDB28CFA9D888AEDBBF1BF49324F1485A9D405A7361C7789944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0119BCF9 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0119BD87

Memory Dump Source

Source File: 00000015.00000002.614826148.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1190000_Payment confirmation .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6df9cfe3905749d6ddfe0fe46cd286754fb50f8ccc84a79b7e1682a3e2d4228d
Instruction ID: 544f848c2a8d5a7a2f30e26ed930e94c42355b87a9f2490fb856130404140cc3
Opcode Fuzzy Hash: 6df9cfe3905749d6ddfe0fe46cd286754fb50f8ccc84a79b7e1682a3e2d4228d
Instruction Fuzzy Hash: 4521F2B59002089FDF00CF9AD884ADEBBF8EB48324F14841AE918A7311C378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0119BD00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0119BD87

Memory Dump Source

Source File: 00000015.00000002.614826148.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1190000_Payment confirmation .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 91b626655001680ce9a5e60f0caab2913db61bfa1d39bd10b6cc9f20e1712b91
Instruction ID: 116c3c63e7556cb070ba81d5f8bc911033b5fe2ee86ff781da28de7b2fdc506b
Opcode Fuzzy Hash: 91b626655001680ce9a5e60f0caab2913db61bfa1d39bd10b6cc9f20e1712b91
Instruction Fuzzy Hash: 8D21C4B59012089FDF10CF99D984ADEBFF8EB48324F14841AE918B7350D379A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01199849 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011996A9,00000800,00000000,00000000), ref: 011998BA

Memory Dump Source

Source File: 00000015.00000002.614826148.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1190000_Payment confirmation .jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 82b261bf9f9685121b8fb901381a3cb009512b3e94e0447e6d50d4a3622222f8
Instruction ID: fc22a5524c75ab28140ccab5529d34ae5f2141950886c66a596f45a6ba3e1da3
Opcode Fuzzy Hash: 82b261bf9f9685121b8fb901381a3cb009512b3e94e0447e6d50d4a3622222f8
Instruction Fuzzy Hash: 1E21F2B28002099FDB14CF9AD444ADEFBF4AB89324F14842ED525AB600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01198768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011996A9,00000800,00000000,00000000), ref: 011998BA

Memory Dump Source

Source File: 00000015.00000002.614826148.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1190000_Payment confirmation .jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 37bb2b92460845b82c46d85fe5509fec0e8488b9b4b740564c2121be02bf1dc4
Instruction ID: 2a350f81634d65483e2789963d457f8accead3464ca2ce9bbfb4352fca061493
Opcode Fuzzy Hash: 37bb2b92460845b82c46d85fe5509fec0e8488b9b4b740564c2121be02bf1dc4
Instruction Fuzzy Hash: CC11C4B59002099BDB14CF9AD444ADEBBF4AB48314F14842ED525BB700C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0119FE38 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0119FE9D

Memory Dump Source

Source File: 00000015.00000002.614826148.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1190000_Payment confirmation .jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9a6039fc176b36be74718b0bce6086dac8d1c9e0b4c2c11c34ba09d306e445ed
Instruction ID: dc624b5ed8ad1d96726807a6a9314e3d4edd46ddbe94b36afb852b274eb5fbe2
Opcode Fuzzy Hash: 9a6039fc176b36be74718b0bce6086dac8d1c9e0b4c2c11c34ba09d306e445ed
Instruction Fuzzy Hash: 761122B58002499FDB10CF99D585BDEFFF8EB88324F24841AD854B7641C379A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011995C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0119962E

Memory Dump Source

Source File: 00000015.00000002.614826148.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1190000_Payment confirmation .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c666898fbc55d756db71adfeab83bc1b606626b86ef451a10838f4dc28c0e294
Instruction ID: e57ac651407c6d333a6abcda3abfad182504e4e0a289fd136f1e83cfad13a1ba
Opcode Fuzzy Hash: c666898fbc55d756db71adfeab83bc1b606626b86ef451a10838f4dc28c0e294
Instruction Fuzzy Hash: EC11E0B6C006498FDF14CF9AD844BDEFBF4AB88624F14842AD829B7640C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05370438 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0537049D

Memory Dump Source

Source File: 00000015.00000002.620819364.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5370000_Payment confirmation .jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: f1a9113dc0b8424e9483bab8f407d1163fa6888f93c3a137863ae1bc25f5439b
Instruction ID: a483ba9102983c59b7ccd7402f55ac3d23bc23f21f6d0916c2979adc081fd502
Opcode Fuzzy Hash: f1a9113dc0b8424e9483bab8f407d1163fa6888f93c3a137863ae1bc25f5439b
Instruction Fuzzy Hash: 6511E0B1C046498FCB10DF9AD848BDEFBF4AB48324F14852AD869A7640D378A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05375A48 Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000), ref: 0537642F

Memory Dump Source

Source File: 00000015.00000002.620819364.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5370000_Payment confirmation .jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 04e1b12cef1979adad3dd7458d48a14bcbae955e6a82abcf38b4f488aae23038
Instruction ID: f87fa96a2d6c2f5168355aab8e0ed915f92cf9d54ff83dee2a922b7b59963c93
Opcode Fuzzy Hash: 04e1b12cef1979adad3dd7458d48a14bcbae955e6a82abcf38b4f488aae23038
Instruction Fuzzy Hash: AF1106B1C006488FCB20DF99D4497DEFBF8EB88324F248459D519B7640D779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 053763CB Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000), ref: 0537642F

Memory Dump Source

Source File: 00000015.00000002.620819364.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5370000_Payment confirmation .jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e308236b4157dba1847392f548f097c93f3f00e4908819dcffdf70887e92cf3e
Instruction ID: fecf69826bc5fa1e979bb3914d73746c8a7ec844bd4c57598e1bc9bac090731d
Opcode Fuzzy Hash: e308236b4157dba1847392f548f097c93f3f00e4908819dcffdf70887e92cf3e
Instruction Fuzzy Hash: 211103B18006088FCB10DF99D885BDEBBF8EB88324F24841AD519B7740C779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0119FE40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0119FE9D

Memory Dump Source

Source File: 00000015.00000002.614826148.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1190000_Payment confirmation .jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 821fd7763e9e072cad66a402ff1cf6c47fd6717103cfd3f52df7669a474eb3c2
Instruction ID: 87343d307829d4893387f6bb888b1abc18d6a8de158e06e6346cc6fcaca893e7
Opcode Fuzzy Hash: 821fd7763e9e072cad66a402ff1cf6c47fd6717103cfd3f52df7669a474eb3c2
Instruction Fuzzy Hash: 501103B58002099FDB10DF99D585BDEBBF8EB48724F24841AD914B7741C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05370440 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0537049D

Memory Dump Source

Source File: 00000015.00000002.620819364.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_5370000_Payment confirmation .jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 1fa48a97f52acab59df26971abdd530016023137a1e30f4c692cd1129641cf92
Instruction ID: 7a0b8a792daf2506a3c0c81630d3b79b70dd9be070c53b560f6f9b9b1c920fcd
Opcode Fuzzy Hash: 1fa48a97f52acab59df26971abdd530016023137a1e30f4c692cd1129641cf92
Instruction Fuzzy Hash: 5611D0B5C046498FCB20DF9AD848BDEFBF4EB48324F14852AD819B7640D378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment confirmation .exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection

E-Banking Fraud

System Summary

Stealing of Sensitive Information

Remote Access Functionality

Jbx Signature Overview

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment confirmation .exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bf0tqcoi.ti0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fw12uc5a.y50.psm1

C:\Users\user\AppData\Local\Temp\tmp2497.tmp

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\iBGUhLU.exe

C:\Users\user\AppData\Roaming\iBGUhLU.exe:Zone.Identifier

C:\Users\user\Documents\20220125\PowerShell_transcript.928100.EGNDur5V.20220125053156.txt

Static File Info

General

Windows Analysis Report
Payment confirmation .exe

Function 0758D130 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 02BB556C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 02BB416C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0758CEA8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 0758CD10 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 0758CF98 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 02BBE0D8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 0758CDE8 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Function 0758CC60 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Function 02BBEEC8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 0579E7A1 Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Function 0579E7A8 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre