Edit tour

Windows Analysis Report
Payment confirmation .exe

Overview

General Information

Sample Name:	Payment confirmation .exe
Analysis ID:	559231
MD5:	0d98108aa5a3383c2c3152cf2cd5ae9a
SHA1:	e08d7ba0bf0ac4f93d17e71d27a82dfb22058626
SHA256:	796f57da16fa76bd10afb6a16f9f75b78673f47556ce4d93d93ec34b5d898f61
Tags:	exenanocore
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Initial sample is a PE file and has a suspicious name

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Powershell Defender Exclusion

.NET source code contains method to dynamically call methods (often used by packers)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Payment confirmation .exe (PID: 4540 cmdline: "C:\Users\user\Desktop\Payment confirmation .exe" MD5: 0D98108AA5A3383C2C3152CF2CD5AE9A)

powershell.exe (PID: 5776 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4688 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Payment confirmation .exe (PID: 5116 cmdline: C:\Users\user\Desktop\Payment confirmation .exe MD5: 0D98108AA5A3383C2C3152CF2CD5AE9A)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "2616a878-9933-42e4-9fe0-3b57e29b", "Domain1": "naki.airdns.org", "Domain2": "37.120.210.211", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "faff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69457:$a: NanoCore 0x694b0:$a: NanoCore 0x694ed:$a: NanoCore 0x69566:$a: NanoCore 0x694b9:$b: ClientPlugin 0x694f6:$b: ClientPlugin 0x69df4:$b: ClientPlugin 0x69e01:$b: ClientPlugin 0x863c8:$b: ClientPlugin 0x5f6e6:$e: KeepAlive 0x69941:$g: LogClientMessage 0x698c1:$i: get_Connected 0x5f7cc:$j: #=q 0x5f7e8:$j: #=q 0x5f804:$j: #=q 0x5f820:$j: #=q 0x5f83c:$j: #=q 0x5f86c:$j: #=q 0x5f89c:$j: #=q 0x5f8b8:$j: #=q 0x5f8d4:$j: #=q
00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d95:$x1: NanoCore.ClientPluginHost 0x5b3b5:$x1: NanoCore.ClientPluginHost 0x10dd2:$x2: IClientNetworkHost 0x5b3f2:$x2: IClientNetworkHost 0x14905:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5ef25:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10afd:$a: NanoCore 0x10b0d:$a: NanoCore 0x10d41:$a: NanoCore 0x10d55:$a: NanoCore 0x10d95:$a: NanoCore 0x5b11d:$a: NanoCore 0x5b12d:$a: NanoCore 0x5b361:$a: NanoCore 0x5b375:$a: NanoCore 0x5b3b5:$a: NanoCore 0x10b5c:$b: ClientPlugin 0x10d5e:$b: ClientPlugin 0x10d9e:$b: ClientPlugin 0x5b17c:$b: ClientPlugin 0x5b37e:$b: ClientPlugin 0x5b3be:$b: ClientPlugin 0x10c83:$c: ProjectData 0x5b2a3:$c: ProjectData 0xe0ba2:$c: ProjectData 0x1168a:$d: DESCrypto 0x5bcaa:$d: DESCrypto
00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8a865:$a: NanoCore 0x8a8be:$a: NanoCore 0x8a8fb:$a: NanoCore 0x8a974:$a: NanoCore 0x9e01f:$a: NanoCore 0x9e034:$a: NanoCore 0x9e069:$a: NanoCore 0xc628a:$a: NanoCore 0xc62a2:$a: NanoCore 0xc62cb:$a: NanoCore 0xdf11b:$a: NanoCore 0xdf130:$a: NanoCore 0xdf165:$a: NanoCore 0x107372:$a: NanoCore 0x10738a:$a: NanoCore 0x1073b3:$a: NanoCore 0x8a8c7:$b: ClientPlugin 0x8a904:$b: ClientPlugin 0x8b202:$b: ClientPlugin 0x8b20f:$b: ClientPlugin 0x9dddb:$b: ClientPlugin
00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10e25:$x1: NanoCore.ClientPluginHost 0x10e62:$x2: IClientNetworkHost 0x14995:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10b8d:$a: NanoCore 0x10b9d:$a: NanoCore 0x10dd1:$a: NanoCore 0x10de5:$a: NanoCore 0x10e25:$a: NanoCore 0x10bec:$b: ClientPlugin 0x10dee:$b: ClientPlugin 0x10e2e:$b: ClientPlugin 0x10d13:$c: ProjectData 0x164e32:$c: ProjectData 0x1171a:$d: DESCrypto 0x190e6:$e: KeepAlive 0x170d4:$g: LogClientMessage 0x132cf:$i: get_Connected 0x11a50:$j: #=q 0x11a80:$j: #=q 0x11a9c:$j: #=q 0x11acc:$j: #=q 0x11ae8:$j: #=q 0x11b04:$j: #=q 0x11b34:$j: #=q
Process Memory Space: Payment confirmation .exe PID: 4540	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6aabd:$x1: NanoCore.ClientPluginHost 0x2efd72:$x1: NanoCore.ClientPluginHost 0x6aafa:$x2: IClientNetworkHost 0x2efdaf:$x2: IClientNetworkHost 0x6e5eb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79671:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x86416:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f38a0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2fe926:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Payment confirmation .exe PID: 4540	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Payment confirmation .exe PID: 4540	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Payment confirmation .exe PID: 4540	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6a78a:$a: NanoCore 0x6a79a:$a: NanoCore 0x6a859:$a: NanoCore 0x6a868:$a: NanoCore 0x6aa69:$a: NanoCore 0x6aa7d:$a: NanoCore 0x6aabd:$a: NanoCore 0x75cdb:$a: NanoCore 0x75ced:$a: NanoCore 0x75d29:$a: NanoCore 0x82a80:$a: NanoCore 0x82a92:$a: NanoCore 0x82ace:$a: NanoCore 0x2efa3f:$a: NanoCore 0x2efa4f:$a: NanoCore 0x2efb0e:$a: NanoCore 0x2efb1d:$a: NanoCore 0x2efd1e:$a: NanoCore 0x2efd32:$a: NanoCore 0x2efd72:$a: NanoCore 0x2faf90:$a: NanoCore
Process Memory Space: Payment confirmation .exe PID: 5116	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x316ba:$x1: NanoCore.ClientPluginHost 0x3496f:$x1: NanoCore.ClientPluginHost 0x4fe57:$x1: NanoCore.ClientPluginHost 0x9e7d7:$x1: NanoCore.ClientPluginHost 0xc8277:$x1: NanoCore.ClientPluginHost 0xd7989:$x1: NanoCore.ClientPluginHost 0x316d4:$x2: IClientNetworkHost 0x349ac:$x2: IClientNetworkHost 0x4fe71:$x2: IClientNetworkHost 0x9e804:$x2: IClientNetworkHost 0xc8291:$x2: IClientNetworkHost 0xd79a3:$x2: IClientNetworkHost 0x3849d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x43523:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Payment confirmation .exe PID: 5116	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Payment confirmation .exe PID: 5116	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15fc0:$a: NanoCore 0x1601b:$a: NanoCore 0x16090:$a: NanoCore 0x31624:$a: NanoCore 0x3167d:$a: NanoCore 0x316ba:$a: NanoCore 0x31733:$a: NanoCore 0x31f68:$a: NanoCore 0x31fbb:$a: NanoCore 0x31ff4:$a: NanoCore 0x32067:$a: NanoCore 0x32bb6:$a: NanoCore 0x3463c:$a: NanoCore 0x3464c:$a: NanoCore 0x3470b:$a: NanoCore 0x3471a:$a: NanoCore 0x3491b:$a: NanoCore 0x3492f:$a: NanoCore 0x3496f:$a: NanoCore 0x3fb8d:$a: NanoCore 0x3fb9f:$a: NanoCore
Click to see the 35 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.Payment confirmation .exe.6800000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.6800000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6804c9f.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.6804c9f.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.Payment confirmation .exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.Payment confirmation .exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.0.Payment confirmation .exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.Payment confirmation .exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.Payment confirmation .exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.Payment confirmation .exe.6800000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.6800000.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6070000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.6070000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6070000.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.Payment confirmation .exe.5390000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.5390000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6074629.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.6074629.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6074629.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.Payment confirmation .exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.Payment confirmation .exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.Payment confirmation .exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Payment confirmation .exe.3ef5c98.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment confirmation .exe.3ef5c98.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Payment confirmation .exe.3ef5c98.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.3ef5c98.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
21.2.Payment confirmation .exe.3e82a86.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x3c845:$x1: NanoCore.ClientPluginHost 0x556df:$x1: NanoCore.ClientPluginHost 0x7d92d:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x3c85f:$x2: IClientNetworkHost 0x5570c:$x2: IClientNetworkHost 0x7d947:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.3e82a86.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x3c845:$x2: NanoCore.ClientPluginHost 0x556df:$x2: NanoCore.ClientPluginHost 0x7d92d:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x3fb82:$s4: PipeCreated 0x567ba:$s4: PipeCreated 0x80c6a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x3c832:$s5: IClientLoggingHost 0x556f9:$s5: IClientLoggingHost 0x7d91a:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.3e82a86.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.Payment confirmation .exe.3e82a86.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x3c804:$a: NanoCore 0x3c81c:$a: NanoCore 0x3c845:$a: NanoCore 0x55695:$a: NanoCore 0x556aa:$a: NanoCore 0x556df:$a: NanoCore 0x7d8ec:$a: NanoCore 0x7d904:$a: NanoCore 0x7d92d:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin
0.2.Payment confirmation .exe.3d0cc08.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment confirmation .exe.3d0cc08.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Payment confirmation .exe.3d0cc08.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.3d0cc08.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
21.2.Payment confirmation .exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.Payment confirmation .exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.Payment confirmation .exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.Payment confirmation .exe.3e878bc.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.3e878bc.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.3e878bc.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.Payment confirmation .exe.3e878bc.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x37a0f:$x1: NanoCore.ClientPluginHost 0x508a9:$x1: NanoCore.ClientPluginHost 0x78af7:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x37a29:$x2: IClientNetworkHost 0x508d6:$x2: IClientNetworkHost 0x78b11:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.3e878bc.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x37a0f:$x2: NanoCore.ClientPluginHost 0x508a9:$x2: NanoCore.ClientPluginHost 0x78af7:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x3ad4c:$s4: PipeCreated 0x51984:$s4: PipeCreated 0x7be34:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x379fc:$s5: IClientLoggingHost 0x508c3:$s5: IClientLoggingHost 0x78ae4:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.3e878bc.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.Payment confirmation .exe.680e8a4.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.680e8a4.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6070000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.6070000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.6070000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.Payment confirmation .exe.2e59678.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.2e59678.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.Payment confirmation .exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.Payment confirmation .exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.0.Payment confirmation .exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.Payment confirmation .exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.Payment confirmation .exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.Payment confirmation .exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x333e6:$x1: NanoCore.ClientPluginHost 0x4c280:$x1: NanoCore.ClientPluginHost 0x744ce:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x33400:$x2: IClientNetworkHost 0x4c2ad:$x2: IClientNetworkHost 0x744e8:$x2: IClientNetworkHost
21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x333e6:$x2: NanoCore.ClientPluginHost 0x4c280:$x2: NanoCore.ClientPluginHost 0x744ce:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x36723:$s4: PipeCreated 0x4d35b:$s4: PipeCreated 0x7780b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x333d3:$s5: IClientLoggingHost 0x4c29a:$s5: IClientLoggingHost 0x744bb:$s5: IClientLoggingHost
21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.2d2f510.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Payment confirmation .exe.2d3e02c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x5a7ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x5a7ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5e31d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x5a515:$a: NanoCore 0x5a525:$a: NanoCore 0x5a759:$a: NanoCore 0x5a76d:$a: NanoCore 0x5a7ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x5a574:$b: ClientPlugin 0x5a776:$b: ClientPlugin 0x5a7b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x5a69b:$c: ProjectData 0xdff9a:$c: ProjectData 0x10a82:$d: DESCrypto 0x5b0a2:$d: DESCrypto
0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x16419a:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q
Click to see the 69 entries

Sigma Overview

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Payment confirmation .exe, ProcessId: 5116, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

System Summary

Sigma detected: Suspicius Add Task From User AppData Temp

Source: Process started

Author: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation .exe" , ParentImage: C:\Users\user\Desktop\Payment confirmation .exe, ParentProcessId: 4540, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp, ProcessId: 4688

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation .exe" , ParentImage: C:\Users\user\Desktop\Payment confirmation .exe, ParentProcessId: 4540, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe, ProcessId: 5776

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation .exe" , ParentImage: C:\Users\user\Desktop\Payment confirmation .exe, ParentProcessId: 4540, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe, ProcessId: 5776

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132875911133208884.5776.DefaultAppDomain.powershell

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2616a878-9933-42e4-9fe0-3b57e29b", "Domain1": "naki.airdns.org", "Domain2": "37.120.210.211", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "faff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Source: Payment confirmation .exe	Virustotal: Detection: 31%			Perma Link
Source: Payment confirmation .exe	ReversingLabs: Detection: 32%

Antivirus detection for URL or domain

Source: 37.120.210.211

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBGUhLU.exe

ReversingLabs: Detection: 32%

Yara detected Nanocore RAT

Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR

Machine Learning detection for sample

Source: Payment confirmation .exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBGUhLU.exe

Joe Sandbox ML: detected

Source: 21.0.Payment confirmation .exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.Payment confirmation .exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.Payment confirmation .exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.Payment confirmation .exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.Payment confirmation .exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.Payment confirmation .exe.6070000.9.unpack	Avira: Label: TR/NanoCore.fadte
Source: 21.0.Payment confirmation .exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: Payment confirmation .exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Payment confirmation .exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 146.70.76.43 ports 56281,1,2,5,6,8

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 37.120.210.211
Source: Malware configuration extractor	URLs: naki.airdns.org

Source: Joe Sandbox View

ASN Name: TENET-1ZA TENET-1ZA

Source: global traffic

TCP traffic: 192.168.2.6:49811 -> 146.70.76.43:56281

Source: Payment confirmation .exe, 00000000.00000003.357486991.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357630236.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357683121.0000000005CDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356117157.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356378144.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356305451.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Payment confirmation .exe, 00000000.00000003.357825255.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357302229.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357469019.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357024345.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357977143.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356575956.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356445695.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356700406.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356887648.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357619118.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357149641.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.como
Source: Payment confirmation .exe, 00000000.00000003.356378144.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comug
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment confirmation .exe, 00000000.00000003.367855914.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Payment confirmation .exe, 00000000.00000003.367709317.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html%
Source: Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com3
Source: Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com9
Source: Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comac
Source: Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comc
Source: Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comces
Source: Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comcyK
Source: Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comesH
Source: Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comhly
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comlg
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366744577.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comm
Source: Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comncyI
Source: Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comr-t
Source: Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comso
Source: Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366744577.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366935086.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367218271.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367116516.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366592843.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comt0
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comth
Source: Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366592843.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comva&
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comypo
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Payment confirmation .exe, 00000000.00000003.393018990.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.373895893.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380893532.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374935499.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382778780.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381168425.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment confirmation .exe, 00000000.00000003.380694836.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.393018990.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.393142180.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers%
Source: Payment confirmation .exe, 00000000.00000003.373895893.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374545461.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374384052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment confirmation .exe, 00000000.00000003.382357060.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlH
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment confirmation .exe, 00000000.00000003.382357060.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382554954.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382497875.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmle
Source: Payment confirmation .exe, 00000000.00000003.380972243.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381322016.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381187839.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381501028.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381061897.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380504872.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380770592.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380416970.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment confirmation .exe, 00000000.00000003.383170261.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersB
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment confirmation .exe, 00000000.00000003.383170261.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: Payment confirmation .exe, 00000000.00000003.376830096.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376667085.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersc
Source: Payment confirmation .exe, 00000000.00000003.376137586.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersh
Source: Payment confirmation .exe, 00000000.00000003.376667085.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376137586.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374935499.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers~
Source: Payment confirmation .exe, 00000000.00000002.559399340.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdia
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment confirmation .exe, 00000000.00000003.361861660.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnK
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363185032.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363056742.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnls(
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnmpa
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363185032.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363056742.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.361861660.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnno
Source: Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnrm
Source: Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnsof0
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment confirmation .exe, 00000000.00000003.386807451.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.386605316.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.387075190.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.387222007.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.386931372.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmo
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr-c
Source: Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.krmn-u
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment confirmation .exe, 00000000.00000003.386028171.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: Payment confirmation .exe, 00000000.00000003.353514887.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment confirmation .exe, 00000000.00000003.353514887.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comno.
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367781250.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment confirmation .exe, 00000000.00000003.368239598.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.368365048.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.368048501.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367781250.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367855914.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comd
Source: Payment confirmation .exe, 00000000.00000003.360911622.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.361056673.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360528445.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krTF
Source: Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr_
Source: Payment confirmation .exe, 00000000.00000003.360528445.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krs-c
Source: Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362814594.00000000012CC000.00000004.00000020.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment confirmation .exe, 00000000.00000003.362814594.00000000012CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.coms
Source: Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383309388.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383712360.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383422790.0000000005CD7000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383830654.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383630749.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383516270.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deg
Source: Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de~
Source: Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnk
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnls(
Source: Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.V

Source: unknown

DNS traffic detected: queries for: naki.airdns.org

Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 21.2.Payment confirmation .exe.6800000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.6804c9f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.6800000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.5390000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.680e8a4.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Payment confirmation .exe.2e59678.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment confirmation .exe

Source: Payment confirmation .exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 21.2.Payment confirmation .exe.6800000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6800000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.6804c9f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6804c9f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.6800000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6800000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.5390000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.5390000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.680e8a4.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.680e8a4.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Payment confirmation .exe.2e59678.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.2e59678.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_02BB6F80
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_02BB6F72
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_02BB6D30
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_02BB6D22
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_05794454
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_0579C658
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_05792330
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_05790D94
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_05791C18
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_0758DDA8
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07582102
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07585770
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07585508
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0119E471
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0119E480
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0119BBD4
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_05376550
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_05373E30
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0537BED8
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_05374A50
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0537CAF0
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_05374B08
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_0537CBAE

Source: C:\Users\user\Desktop\Payment confirmation .exe

Process Stats: CPU usage > 98%

Source: Payment confirmation .exe, 00000000.00000002.558685046.0000000000A66000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameObjRefSurroga.exe0 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.567565837.00000000074C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.567891113.0000000007690000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000000.550290214.00000000009E6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameObjRefSurroga.exe0 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe	Binary or memory string: OriginalFilenameObjRefSurroga.exe0 vs Payment confirmation .exe

Source: Payment confirmation .exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: iBGUhLU.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Payment confirmation .exe	Virustotal: Detection: 31%
Source: Payment confirmation .exe	ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\Payment confirmation .exe

File read: C:\Users\user\Desktop\Payment confirmation .exe

Jump to behavior

Source: Payment confirmation .exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment confirmation .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Payment confirmation .exe "C:\Users\user\Desktop\Payment confirmation .exe"
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe

Source: C:\Users\user\Desktop\Payment confirmation .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\Payment confirmation .exe

File created: C:\Users\user\AppData\Roaming\iBGUhLU.exe

Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe

File created: C:\Users\user\AppData\Local\Temp\tmp2497.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/9@2/1

Source: C:\Users\user\Desktop\Payment confirmation .exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\Payment confirmation .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Payment confirmation .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_01
Source: C:\Users\user\Desktop\Payment confirmation .exe	Mutant created: \Sessions\1\BaseNamedObjects\NFjYqzvaoo
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_01
Source: C:\Users\user\Desktop\Payment confirmation .exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2616a878-9933-42e4-9fe0-3b57e29bc1f5}

Source: Payment confirmation .exe, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Payment confirmation .exe, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: iBGUhLU.exe.0.dr, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: iBGUhLU.exe.0.dr, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.Payment confirmation .exe.8f0000.9.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.Payment confirmation .exe.8f0000.9.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.Payment confirmation .exe.8f0000.11.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.Payment confirmation .exe.8f0000.11.unpack, nW/bWj.cs	Cryptographic APIs: 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment confirmation .exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Payment confirmation .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment confirmation .exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

.NET source code contains potential unpacker

Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: Payment confirmation .exe, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: iBGUhLU.exe.0.dr, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.Payment confirmation .exe.970000.0.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 21.0.Payment confirmation .exe.8f0000.9.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 21.0.Payment confirmation .exe.8f0000.11.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 21.0.Payment confirmation .exe.8f0000.1.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 21.0.Payment confirmation .exe.8f0000.0.unpack, nW/bWj.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07310C15 push FFFFFF8Bh; iretd
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_065618FC push E802005Eh; retf
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_06561912 pushad ; retf
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 21_2_06561904 push E801035Eh; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.86642009336
Source: initial sample	Static PE information: section name: .text entropy: 7.86642009336

Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 21.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 21.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.0.Payment confirmation .exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\Payment confirmation .exe

File created: C:\Users\user\AppData\Roaming\iBGUhLU.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Payment confirmation .exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Payment confirmation .exe

File opened: C:\Users\user\Desktop\Payment confirmation .exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\Payment confirmation .exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.Payment confirmation .exe.2d2f510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.2d3e02c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 5584	Thread sleep time: -34001s >= -30000s
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 5408	Thread sleep time: -62000s >= -30000s
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 5728	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3456	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 1352	Thread sleep time: -10145709240540247s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6227
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2358
Source: C:\Users\user\Desktop\Payment confirmation .exe	Window / User API: threadDelayed 3363
Source: C:\Users\user\Desktop\Payment confirmation .exe	Window / User API: threadDelayed 5848

Source: C:\Users\user\Desktop\Payment confirmation .exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 34001
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477

Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Payment confirmation .exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment confirmation .exe

Memory written: C:\Users\user\Desktop\Payment confirmation .exe base: 400000 value starts with: 4D5A

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe

Source: Payment confirmation .exe, 00000015.00000002.617436294.0000000002E92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\|$,
Source: Payment confirmation .exe, 00000015.00000002.617591812.0000000002FF8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.617574269.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621629051.000000000696E000.00000004.00000010.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.617436294.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621303249.0000000005EAB000.00000004.00000010.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621509072.000000000654E000.00000004.00000010.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621454017.00000000061CD000.00000004.00000010.00020000.00000000.sdmp, Payment confirmation .exe, 00000015.00000002.621476746.000000000630F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Payment confirmation .exe, 00000015.00000002.617436294.0000000002E92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager(h
Source: Payment confirmation .exe, 00000015.00000002.617436294.0000000002E92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx

Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Users\user\Desktop\Payment confirmation .exe VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Users\user\Desktop\Payment confirmation .exe VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment confirmation .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Payment confirmation .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: Payment confirmation .exe, 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6074629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e82a86.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e878bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.6070000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Payment confirmation .exe.3e8bee5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3d0cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3ef5c98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5116, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	1 Masquerading	11 Input Capture	1 Query Registry	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	11 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	23 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment confirmation .exe	32%	Virustotal		Browse
Payment confirmation .exe	33%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
Payment confirmation .exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\iBGUhLU.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\iBGUhLU.exe	33%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Unpacked PE Files

Source	Detection	Scanner	Label	Download
21.0.Payment confirmation .exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.0.Payment confirmation .exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.0.Payment confirmation .exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.2.Payment confirmation .exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.0.Payment confirmation .exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.2.Payment confirmation .exe.6070000.9.unpack	100%	Avira	TR/NanoCore.fadte	Download File
21.0.Payment confirmation .exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
naki.airdns.org	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.carterandcone.comces	0%	URL Reputation	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.founder.com.cn/cnK	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.goodfont.co.kr-c	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnrm	0%	Avira URL Cloud	safe
37.120.210.211	4%	Virustotal		Browse
37.120.210.211	100%	Avira URL Cloud	malware
naki.airdns.org	0%	Avira URL Cloud	safe
http://www.carterandcone.com3	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.urwpp.de~	0%	Avira URL Cloud	safe
http://www.carterandcone.comt0	0%	Avira URL Cloud	safe
http://www.carterandcone.comypo	0%	URL Reputation	safe
http://www.founder.com.cn/cnno	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.fontbureau.comdia	0%	URL Reputation	safe
http://www.sandoll.co.krs-c	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.sandoll.co.krTF	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.carterandcone.comncyI	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cnls(	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnsof0	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnl	0%	URL Reputation	safe
http://www.carterandcone.com9	0%	URL Reputation	safe
http://fontfabrik.comug	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html%	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.carterandcone.comac	0%	Avira URL Cloud	safe
http://www.sakkal.comd	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://fontfabrik.como	0%	Avira URL Cloud	safe
http://www.goodfont.co.krmn-u	0%	Avira URL Cloud	safe
http://www.carterandcone.comth	0%	Avira URL Cloud	safe
http://www.carterandcone.comcyK	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comno.	0%	Avira URL Cloud	safe
http://www.carterandcone.comc	0%	URL Reputation	safe
http://www.tiro.comslnt	0%	URL Reputation	safe
http://www.tiro.coms	0%	URL Reputation	safe
http://www.zhongyicts.com.cno.V	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnmpa	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htmo	0%	Avira URL Cloud	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.comlg	0%	Avira URL Cloud	safe
http://www.carterandcone.comm	0%	URL Reputation	safe
http://www.sandoll.co.kr_	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.zhongyicts.com.cnk	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.carterandcone.comhly	0%	URL Reputation	safe
http://www.founder.com.cn/cnls(	0%	Avira URL Cloud	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.urwpp.deg	0%	Avira URL Cloud	safe
http://www.carterandcone.comesH	0%	Avira URL Cloud	safe
http://www.carterandcone.comr-t	0%	Avira URL Cloud	safe
http://www.carterandcone.comso	0%	Avira URL Cloud	safe
http://www.carterandcone.comva&	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
naki.airdns.org	146.70.76.43	true	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
37.120.210.211	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
naki.airdns.org	true	Avira URL Cloud: safe	unknown
0,0,343003226,0000000000A68000,00000002,00000001,01000000,00000003,3,D7A61577F9C39F0C	true		low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.carterandcone.comces	Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comn-u	Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnK	Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr-c	Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersB	Payment confirmation .exe, 00000000.00000003.383170261.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362814594.00000000012CC000.00000004.00000020.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnrm	Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	Payment confirmation .exe, 00000000.00000003.393018990.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.373895893.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380893532.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374935499.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382778780.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381168425.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.com3	Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de~	Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.comt0	Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366744577.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366935086.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367218271.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367116516.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366592843.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comypo	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnno	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363185032.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363056742.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.361861660.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Payment confirmation .exe, 00000000.00000003.353514887.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdia	Payment confirmation .exe, 00000000.00000002.559399340.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krs-c	Payment confirmation .exe, 00000000.00000003.360528445.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersh	Payment confirmation .exe, 00000000.00000003.376137586.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krTF	Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356117157.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356378144.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356305451.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comncyI	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cnls(	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cnsof0	Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnl	Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com9	Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.comug	Payment confirmation .exe, 00000000.00000003.356378144.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersc	Payment confirmation .exe, 00000000.00000003.376830096.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376667085.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersb	Payment confirmation .exe, 00000000.00000003.383170261.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html%	Payment confirmation .exe, 00000000.00000003.367709317.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com	Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ascendercorp.com/typedesigners.html	Payment confirmation .exe, 00000000.00000003.367855914.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Payment confirmation .exe, 00000000.00000003.360911622.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.361056673.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360528445.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comac	Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.comd	Payment confirmation .exe, 00000000.00000003.368239598.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.368365048.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.368048501.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367781250.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367855914.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de	Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383309388.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383712360.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383422790.0000000005CD7000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383830654.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383630749.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.383516270.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Payment confirmation .exe, 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.367781250.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.como	Payment confirmation .exe, 00000000.00000003.357825255.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357302229.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357469019.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357024345.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357977143.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356575956.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356445695.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356700406.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.356887648.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357619118.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357149641.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.krmn-u	Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comth	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comcyK	Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.comno.	Payment confirmation .exe, 00000000.00000003.353514887.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comc	Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comslnt	Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.coms	Payment confirmation .exe, 00000000.00000003.362814594.00000000012CC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cno.V	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers~	Payment confirmation .exe, 00000000.00000003.376667085.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376137586.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374935499.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.376425938.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnmpa	Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmo	Payment confirmation .exe, 00000000.00000003.386807451.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.386605316.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.387075190.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.387222007.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.386931372.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmle	Payment confirmation .exe, 00000000.00000003.382357060.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382554954.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.382497875.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://en.w	Payment confirmation .exe, 00000000.00000003.357486991.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357630236.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.357683121.0000000005CDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comlg	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comm	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366744577.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr_	Payment confirmation .exe, 00000000.00000003.360704375.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coml	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cnk	Payment confirmation .exe, 00000000.00000003.363863872.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363495280.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364016052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363634963.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363356203.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Payment confirmation .exe, 00000000.00000003.361861660.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Payment confirmation .exe, 00000000.00000003.380972243.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381322016.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381187839.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381501028.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.381061897.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380504872.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380770592.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.380416970.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comhly	Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnls(	Payment confirmation .exe, 00000000.00000003.362608382.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362684991.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363185032.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362259718.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.363056742.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362098396.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362442942.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.362900001.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.	Payment confirmation .exe, 00000000.00000003.386028171.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers%	Payment confirmation .exe, 00000000.00000003.380694836.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.393018990.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.393142180.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Payment confirmation .exe, 00000000.00000002.567198922.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deg	Payment confirmation .exe, 00000000.00000003.372633234.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372433937.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.372152219.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comesH	Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comr-t	Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	Payment confirmation .exe, 00000000.00000003.373895893.0000000005CD3000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374545461.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.374384052.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comso	Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comva&	Payment confirmation .exe, 00000000.00000003.364507204.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366147501.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365623717.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365906076.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364863222.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366465674.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366265697.0000000005CD4000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365155998.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364641374.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365546838.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364361805.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366326585.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366030122.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365769728.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366668074.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365010134.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.364219785.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365290423.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.365423276.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp, Payment confirmation .exe, 00000000.00000003.366592843.0000000005CCB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/cabarga.htmlH	Payment confirmation .exe, 00000000.00000003.382357060.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
146.70.76.43	naki.airdns.org	United Kingdom		2018	TENET-1ZA	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	559231
Start date:	25.01.2022
Start time:	05:29:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 48s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Payment confirmation .exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/9@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 2.2% (good quality ratio 2.1%) Quality average: 78.9% Quality standard deviation: 25.7%
HCA Information:	Successful, ratio: 92% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:30:52	API Interceptor	157x Sleep call for process: Payment confirmation .exe modified
05:31:58	API Interceptor	44x Sleep call for process: powershell.exe modified

Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22308
Entropy (8bit):	5.601222598067954
Encrypted:	false
SSDEEP:	384:ptCDFC0Nr/0968S0nAjultISD7Y9glSJ3xKT1MaXZlbAV7evWLSZBDI+9g:I/YfTACltt3lcICefwy5Vs
MD5:	D08243BF44C39C230E13DE5552CFC229
SHA1:	C05BE7254C2075C784DD4B232BFF0B6EA7B48BBD
SHA-256:	3851DD96A08B0E86AC34F1FCB2D5A24F0A9AC75B9F1462C1072CBB5B8A38A13A
SHA-512:	3801C6FCB595213D3C85E5DE6E0B0B7F6A8E536B02559440FF93986A7B77DA530B583898A5729FEB916BE73C68826C9D79DC92E3FDB744C4F2A2B77D4A2D9388
Malicious:	false
Reputation:	low
Preview:	@...e...................h...a.Y.V.........I..........@..........H...............<@.^.L."My...:X..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bf0tqcoi.ti0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fw12uc5a.y50.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp2497.tmp

Download File

Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1606
Entropy (8bit):	5.116364367259849
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLi7xvn:cgea6YrFdOFzOzN33ODOiDdKrsuT0v
MD5:	9A2AE254726CA1E04F7FD2936BC67727
SHA1:	AC650650400D0E16BB0096603F4FDB882EA30A5C
SHA-256:	8B745FC3F6B96C0FFF0D79A1F2E19CED30436F4D52C5E6948D35D9A6B9CC0A6B
SHA-512:	54C37099355A397324B26FD6C5361DC365F5890267240F5E4D74F8FCA4572A4FBE7980DA3CCC15A86D1AAC0F35DEE515C5B59D72B1970185843ABC523796C5D1
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:D+8tn:a8tn
MD5:	94BD220310AF83D117DA8CA8A3BBCA0B
SHA1:	DCFE8F5B801F13E2D95BC41546A55A75A3EAEB10
SHA-256:	4D8124FCE210AED26231BA07B7540B0AD6ED3F43A27B3A2C92DF26C7FBE0AF74
SHA-512:	F2BCDFC397913F3C1A3CC16419AC2F8B57660B2FC28225600B2C4CEB961F6C2C23AACBBC56248EE65CA436D1891233BA453A59183FB82F76C71BCA48AFEF753C
Malicious:	true
Preview:	.kK....H

C:\Users\user\AppData\Roaming\iBGUhLU.exe

Download File

Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	993280
Entropy (8bit):	7.851238509161969
Encrypted:	false
SSDEEP:	24576:1MJS/fy8oTImIQoM46ayaad63/85GFnhZ5AVU7wsh6I:1MQ/fYJIvmFEZCUxh6I
MD5:	0D98108AA5A3383C2C3152CF2CD5AE9A
SHA1:	E08D7BA0BF0AC4F93D17E71D27A82DFB22058626
SHA-256:	796F57DA16FA76BD10AFB6A16F9F75B78673F47556CE4D93D93EC34B5D898F61
SHA-512:	8018995A3768CA9C91C4837E82167BB386ADBBE7A06054034A10A21AA07C1D2BFD4D62A58CED067AFC232B4A91CCB8E9988FF70F9A4B2A44553030D7D88966A0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l?.a............................>(... ...@....@.. ....................................@..................................'..K....`.. ............................................................................ ............... ..H............text...D.... ...................... ..`.sdata.......@......................@....rsrc... ....`......................@..@.reloc...............&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\iBGUhLU.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Payment confirmation .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20220125\PowerShell_transcript.928100.EGNDur5V.20220125053156.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5807
Entropy (8bit):	5.378693775721289
Encrypted:	false
SSDEEP:	96:BZkTLGN7qDo1ZOZFTLGN7qDo1ZPrpDjZsTLGN7qDo1ZOWTTQZ3:m
MD5:	EED916291A2BFA3A57D4F776CD15D542
SHA1:	290FE8AB5F6D45987BBC4F488990B236CE80ECEA
SHA-256:	9D914FC076BB34E47CA55D9920B38C72BD785D25971B2CD430E5F276C450BB08
SHA-512:	B0102F73A0C9E73B58F65360450C0ED327432E54B1FCB7E341F7C36DB8E9F219EE6A8759E3CBFA8D156634EB9F9A0F583282DBB0885E0D9AA14DD37702D517F1
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220125053158..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iBGUhLU.exe..Process ID: 5776..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220125053158..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iBGUhLU.exe..********************..Windows PowerShell transcript start..Start time: 20220125053539..Username: computer\user..RunAs User: DESKTOP-716

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.851238509161969
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	Payment confirmation .exe
File size:	993280
MD5:	0d98108aa5a3383c2c3152cf2cd5ae9a
SHA1:	e08d7ba0bf0ac4f93d17e71d27a82dfb22058626
SHA256:	796f57da16fa76bd10afb6a16f9f75b78673f47556ce4d93d93ec34b5d898f61
SHA512:	8018995a3768ca9c91c4837e82167bb386adbbe7a06054034a10a21aa07c1d2bfd4d62a58ced067afc232b4a91ccb8e9988ff70f9a4b2a44553030d7d88966a0
SSDEEP:	24576:1MJS/fy8oTImIQoM46ayaad63/85GFnhZ5AVU7wsh6I:1MQ/fYJIvmFEZCUxh6I
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l?.a............................>(... ...@....@.. ....................................@................................

File Icon


Icon Hash:	192d555d6d45650b

Static PE Info

General

Entrypoint:	0x4f283e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61EF3F6C [Tue Jan 25 00:08:12 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf27f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf6000	0x1520	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf0844	0xf0a00	False	0.917583198052	data	7.86642009336	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0xf4000	0x1e8	0x200	False	0.861328125	data	6.61807085145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xf6000	0x1520	0x1600	False	0.273970170455	data	3.59842284173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf8000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xf6130	0xea8	data
RT_GROUP_ICON	0xf6fd8	0x14	data
RT_VERSION	0xf6fec	0x348	data
RT_MANIFEST	0xf7334	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Microsoft 2010
Assembly Version	1.0.0.0
InternalName	ObjRefSurroga.exe
FileVersion	1.0.0.0
CompanyName	Microsoft
LegalTrademarks
Comments
ProductName	CSMDown
ProductVersion	1.0.0.0
FileDescription	CSMDown
OriginalFilename	ObjRefSurroga.exe

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2022 05:32:17.356909037 CET	49811	56281	192.168.2.6	146.70.76.43
Jan 25, 2022 05:32:20.364269972 CET	49811	56281	192.168.2.6	146.70.76.43
Jan 25, 2022 05:32:26.380498886 CET	49811	56281	192.168.2.6	146.70.76.43
Jan 25, 2022 05:32:34.445142031 CET	49838	56281	192.168.2.6	146.70.76.43
Jan 25, 2022 05:32:37.443854094 CET	49838	56281	192.168.2.6	146.70.76.43

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2022 05:32:17.074172974 CET	50010	53	192.168.2.6	8.8.8.8
Jan 25, 2022 05:32:17.347052097 CET	53	50010	8.8.8.8	192.168.2.6
Jan 25, 2022 05:32:34.326653957 CET	62116	53	192.168.2.6	8.8.8.8
Jan 25, 2022 05:32:34.432260036 CET	53	62116	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 25, 2022 05:32:17.074172974 CET	192.168.2.6	8.8.8.8	0x6641	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)
Jan 25, 2022 05:32:34.326653957 CET	192.168.2.6	8.8.8.8	0x5d8	Standard query (0)	naki.airdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 25, 2022 05:32:17.347052097 CET	8.8.8.8	192.168.2.6	0x6641	No error (0)	naki.airdns.org		146.70.76.43	A (IP address)	IN (0x0001)
Jan 25, 2022 05:32:34.432260036 CET	8.8.8.8	192.168.2.6	0x5d8	No error (0)	naki.airdns.org		146.70.76.43	A (IP address)	IN (0x0001)

Start time:	05:30:23
Start date:	25/01/2022
Path:	C:\Users\user\Desktop\Payment confirmation .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment confirmation .exe"
Imagebase:	0x970000
File size:	993280 bytes
MD5 hash:	0D98108AA5A3383C2C3152CF2CD5AE9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.562434427.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.559797997.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.563113379.0000000003EF5000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: powershell.exePID: 5776, Parent PID: 4540

General

Start time:	05:31:53
Start date:	25/01/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBGUhLU.exe
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 5732, Parent PID: 5776

General

Start time:	05:31:54
Start date:	25/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 4688, Parent PID: 4540

General

Start time:	05:31:58
Start date:	25/01/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBGUhLU" /XML "C:\Users\user\AppData\Local\Temp\tmp2497.tmp
Imagebase:	0x12c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5004, Parent PID: 4688

General

Start time:	05:31:59
Start date:	25/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Payment confirmation .exePID: 5116, Parent PID: 4540

General

Start time:	05:31:59
Start date:	25/01/2022
Path:	C:\Users\user\Desktop\Payment confirmation .exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Payment confirmation .exe
Imagebase:	0x8f0000
File size:	993280 bytes
MD5 hash:	0D98108AA5A3383C2C3152CF2CD5AE9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.553341686.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.615775430.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.552240141.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.621380442.0000000006070000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.617626488.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.554000137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.612866743.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000015.00000002.621567698.0000000006800000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000015.00000002.620905175.0000000005390000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.554553035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment confirmation .exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection

E-Banking Fraud

System Summary

Stealing of Sensitive Information

Remote Access Functionality

Jbx Signature Overview

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment confirmation .exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bf0tqcoi.ti0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fw12uc5a.y50.psm1

C:\Users\user\AppData\Local\Temp\tmp2497.tmp

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\iBGUhLU.exe

C:\Users\user\AppData\Roaming\iBGUhLU.exe:Zone.Identifier

C:\Users\user\Documents\20220125\PowerShell_transcript.928100.EGNDur5V.20220125053156.txt

Static File Info

General

Windows Analysis Report
Payment confirmation .exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre