Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INVOICE.exe

Overview

General Information

Sample Name:INVOICE.exe
Analysis ID:628640
MD5:9d58123708f80d79654d981a8b6d9924
SHA1:27317b8dbf347408865b071cd40f8c97d1522482
SHA256:b9066fabc2944828b98d6f22985038c59a5f6cfb1ae09b2f6b5c89bf87a43c44
Tags:exeNanoCore
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • INVOICE.exe (PID: 3004 cmdline: "C:\Users\user\Desktop\INVOICE.exe" MD5: 9D58123708F80D79654D981A8B6D9924)
    • INVOICE.exe (PID: 3488 cmdline: C:\Users\user\Desktop\INVOICE.exe MD5: 9D58123708F80D79654D981A8B6D9924)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "fe56abb4-cb76-44f1-89b4-7bb11730", "Group": "Default", "Domain1": "deranano2.ddns.net", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.489522906.0000000002B4E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      00000000.00000002.495513796.0000000007300000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_zgRATDetects zgRATditekSHen
      • 0x51d2f:$s1: file:///
      • 0x51c3f:$s2: {11111-22222-10009-11112}
      • 0x51cbf:$s3: {11111-22222-50001-00000}
      • 0x4f0a5:$s4: get_Module
      • 0x4f4eb:$s5: Reverse
      • 0x5156e:$s6: BlockCopy
      • 0x513b2:$s7: ReadByte
      • 0x51d41:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.INVOICE.exe.400000.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      3.0.INVOICE.exe.400000.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      3.0.INVOICE.exe.400000.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        3.0.INVOICE.exe.400000.4.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
        • 0xfef5:$x1: NanoCore Client
        • 0xff05:$x1: NanoCore Client
        • 0x1014d:$x2: NanoCore.ClientPlugin
        • 0x1018d:$x3: NanoCore.ClientPluginHost
        • 0x10142:$i1: IClientApp
        • 0x10163:$i2: IClientData
        • 0x1016f:$i3: IClientNetwork
        • 0x1017e:$i4: IClientAppHost
        • 0x101a7:$i5: IClientDataHost
        • 0x101b7:$i6: IClientLoggingHost
        • 0x101ca:$i7: IClientNetworkHost
        • 0x101dd:$i8: IClientUIHost
        • 0x101eb:$i9: IClientNameObjectCollection
        • 0x10207:$i10: IClientReadOnlyNameObjectCollection
        • 0xff54:$s1: ClientPlugin
        • 0x10156:$s1: ClientPlugin
        • 0x1064a:$s2: EndPoint
        • 0x10653:$s3: IPAddress
        • 0x1065d:$s4: IPEndPoint
        • 0x12093:$s6: get_ClientSettings
        • 0x12637:$s7: get_Connected
        3.0.INVOICE.exe.400000.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        Click to see the 47 entries

        Sigma Signatures

        AV Detection

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INVOICE.exe, ProcessId: 3488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INVOICE.exe, ProcessId: 3488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INVOICE.exe, ProcessId: 3488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INVOICE.exe, ProcessId: 3488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Snort Signatures

        Timestamp:192.168.2.5212.193.30.2044981511872816766 05/17/22-20:31:37.145576
        SID:2816766
        Source Port:49815
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044979411872816766 05/17/22-20:30:47.656373
        SID:2816766
        Source Port:49794
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:212.193.30.204192.168.2.51187498182841753 05/17/22-20:31:48.726428
        SID:2841753
        Source Port:1187
        Destination Port:49818
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:212.193.30.204192.168.2.51187498192841753 05/17/22-20:31:53.756641
        SID:2841753
        Source Port:1187
        Destination Port:49819
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044982211872816766 05/17/22-20:31:58.715420
        SID:2816766
        Source Port:49822
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980611872816766 05/17/22-20:31:10.821016
        SID:2816766
        Source Port:49806
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980311872025019 05/17/22-20:31:00.853122
        SID:2025019
        Source Port:49803
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044979711872025019 05/17/22-20:30:54.580308
        SID:2025019
        Source Port:49797
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980311872816718 05/17/22-20:31:01.197924
        SID:2816718
        Source Port:49803
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044978711872816766 05/17/22-20:30:40.618852
        SID:2816766
        Source Port:49787
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:212.193.30.204192.168.2.51187498222841753 05/17/22-20:32:03.661713
        SID:2841753
        Source Port:1187
        Destination Port:49822
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044979711872816766 05/17/22-20:30:55.725499
        SID:2816766
        Source Port:49797
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044978711872025019 05/17/22-20:30:38.957783
        SID:2025019
        Source Port:49787
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981611872025019 05/17/22-20:31:42.303773
        SID:2025019
        Source Port:49816
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:212.193.30.204192.168.2.51187498122841753 05/17/22-20:31:22.376109
        SID:2841753
        Source Port:1187
        Destination Port:49812
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980611872025019 05/17/22-20:31:07.938867
        SID:2025019
        Source Port:49806
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980911872816766 05/17/22-20:31:17.197289
        SID:2816766
        Source Port:49809
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044978111872025019 05/17/22-20:30:31.001024
        SID:2025019
        Source Port:49781
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980911872025019 05/17/22-20:31:15.942780
        SID:2025019
        Source Port:49809
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981211872025019 05/17/22-20:31:22.345784
        SID:2025019
        Source Port:49812
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981911872025019 05/17/22-20:31:53.726213
        SID:2025019
        Source Port:49819
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044982211872025019 05/17/22-20:31:58.625380
        SID:2025019
        Source Port:49822
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044979411872025019 05/17/22-20:30:46.018194
        SID:2025019
        Source Port:49794
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981511872025019 05/17/22-20:31:36.233314
        SID:2025019
        Source Port:49815
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981611872816766 05/17/22-20:31:43.265162
        SID:2816766
        Source Port:49816
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044977211872816766 05/17/22-20:30:24.595254
        SID:2816766
        Source Port:49772
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981311872025019 05/17/22-20:31:29.263030
        SID:2025019
        Source Port:49813
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981811872025019 05/17/22-20:31:48.698744
        SID:2025019
        Source Port:49818
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981311872816766 05/17/22-20:31:31.058415
        SID:2816766
        Source Port:49813
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044977211872025019 05/17/22-20:30:22.925084
        SID:2025019
        Source Port:49772
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044978111872816766 05/17/22-20:30:33.613252
        SID:2816766
        Source Port:49781
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:212.193.30.204192.168.2.51187497942810290 05/17/22-20:30:47.256191
        SID:2810290
        Source Port:1187
        Destination Port:49794
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980311872816766 05/17/22-20:31:02.293623
        SID:2816766
        Source Port:49803
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 3.0.INVOICE.exe.400000.6.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fe56abb4-cb76-44f1-89b4-7bb11730", "Group": "Default", "Domain1": "deranano2.ddns.net", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for submitted file
        Source: INVOICE.exeReversingLabs: Detection: 26%
        Antivirus detection for URL or domain
        Source: deranano2.ddns.netAvira URL Cloud: Label: malware
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTR
        Machine Learning detection for sample
        Source: INVOICE.exeJoe Sandbox ML: detected
        Source: 3.0.INVOICE.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.INVOICE.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.INVOICE.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.INVOICE.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.INVOICE.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: INVOICE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: INVOICE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\OZaAdhaHIy\src\obj\Debug\IObjectRefere.pdb source: INVOICE.exe
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\OZaAdhaHIy\src\obj\Debug\IObjectRefere.pdb, source: INVOICE.exe

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49772 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49772 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49781 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49781 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49787 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49787 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49794 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49794 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 212.193.30.204:1187 -> 192.168.2.5:49794
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49797 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49797 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49803 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49803 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.5:49803 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49806 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49806 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49809 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49809 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49812 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.5:49812
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49813 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49813 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49815 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49815 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49816 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49816 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49818 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.5:49818
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49819 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.5:49819
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49822 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49822 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.5:49822
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: deranano2.ddns.net
        Uses dynamic DNS services
        Source: unknownDNS query: name: deranano2.ddns.net
        Source: Joe Sandbox ViewASN Name: SPD-NETTR SPD-NETTR
        Source: Joe Sandbox ViewIP Address: 212.193.30.204 212.193.30.204
        Source: global trafficTCP traffic: 192.168.2.5:49772 -> 212.193.30.204:1187
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: INVOICE.exe, 00000000.00000002.484971382.00000000005C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: INVOICE.exe, 00000000.00000002.484971382.00000000005C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdiao2
        Source: INVOICE.exe, 00000000.00000002.484971382.00000000005C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comiona
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: unknownDNS traffic detected: queries for: deranano2.ddns.net
        Source: INVOICE.exe, 00000000.00000002.486049973.0000000000BBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud

        barindex
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INVOICE.exe.7300000.11.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INVOICE.exe.7300000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.495513796.0000000007300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
        Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious name
        Source: initial sampleStatic PE information: Filename: INVOICE.exe
        Source: INVOICE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INVOICE.exe.7300000.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INVOICE.exe.7300000.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.495513796.0000000007300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_009AE6F0
        Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_009AC2C4
        Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_009AE6E0
        Source: INVOICE.exe, 00000000.00000000.433423234.0000000000470000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIObjectRefere.exe@ vs INVOICE.exe
        Source: INVOICE.exe, 00000000.00000002.495513796.0000000007300000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs INVOICE.exe
        Source: INVOICE.exe, 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs INVOICE.exe
        Source: INVOICE.exe, 00000000.00000002.486049973.0000000000BBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INVOICE.exe
        Source: INVOICE.exe, 00000003.00000000.478773352.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIObjectRefere.exe@ vs INVOICE.exe
        Source: INVOICE.exeBinary or memory string: OriginalFilenameIObjectRefere.exe@ vs INVOICE.exe
        Source: INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: INVOICE.exeReversingLabs: Detection: 26%
        Source: C:\Users\user\Desktop\INVOICE.exeFile read: C:\Users\user\Desktop\INVOICE.exeJump to behavior
        Source: INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\INVOICE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\INVOICE.exe "C:\Users\user\Desktop\INVOICE.exe"
        Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe C:\Users\user\Desktop\INVOICE.exe
        Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe C:\Users\user\Desktop\INVOICE.exe
        Source: C:\Users\user\Desktop\INVOICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Users\user\Desktop\INVOICE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@3/5@15/2
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.INVOICE.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.INVOICE.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.INVOICE.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.INVOICE.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\INVOICE.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fe56abb4-cb76-44f1-89b4-7bb11730ab9d}
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\Desktop\INVOICE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: INVOICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: INVOICE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: INVOICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\OZaAdhaHIy\src\obj\Debug\IObjectRefere.pdb source: INVOICE.exe
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\OZaAdhaHIy\src\obj\Debug\IObjectRefere.pdb, source: INVOICE.exe

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: INVOICE.exe, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.INVOICE.exe.3d0000.0.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.INVOICE.exe.3d0000.0.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.7.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.13.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.1.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.11.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.3.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.5.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.0.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.2.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.9.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        .NET source code contains method to dynamically call methods (often used by packers)
        Source: INVOICE.exe, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 0.2.INVOICE.exe.3d0000.0.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 0.0.INVOICE.exe.3d0000.0.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.7.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.13.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.1.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.11.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.3.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.5.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.0.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.2.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.9.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_009A7B71 pushad ; retf
        Source: initial sampleStatic PE information: section name: .text entropy: 7.94289795658
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.INVOICE.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.INVOICE.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.INVOICE.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.INVOICE.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)
        Source: C:\Users\user\Desktop\INVOICE.exeFile opened: C:\Users\user\Desktop\INVOICE.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\INVOICE.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Yara detected AntiVM3
        Source: Yara matchFile source: 00000000.00000002.489522906.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: INVOICE.exe, 00000000.00000002.489522906.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, INVOICE.exe, 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
        Source: INVOICE.exe, 00000000.00000002.489522906.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, INVOICE.exe, 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\INVOICE.exe TID: 6104Thread sleep time: -45733s >= -30000s
        Source: C:\Users\user\Desktop\INVOICE.exe TID: 6408Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\INVOICE.exe TID: 3360Thread sleep time: -17524406870024063s >= -30000s
        Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\INVOICE.exeWindow / User API: threadDelayed 7966
        Source: C:\Users\user\Desktop\INVOICE.exeWindow / User API: threadDelayed 1254
        Source: C:\Users\user\Desktop\INVOICE.exeWindow / User API: foregroundWindowGot 767
        Source: C:\Users\user\Desktop\INVOICE.exeWindow / User API: foregroundWindowGot 674
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 45733
        Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 922337203685477
        Source: INVOICE.exe, 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: INVOICE.exe, 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
        Source: INVOICE.exe, 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
        Source: INVOICE.exe, 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\INVOICE.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\INVOICE.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\INVOICE.exeMemory written: C:\Users\user\Desktop\INVOICE.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe C:\Users\user\Desktop\INVOICE.exe
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Users\user\Desktop\INVOICE.exe VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Users\user\Desktop\INVOICE.exe VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\INVOICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information

        barindex
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Detected Nanocore Rat
        Source: INVOICE.exe, 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: INVOICE.exe, 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Windows Management Instrumentation        		Path Interception111
        Process Injection        		1
        Masquerading        		1
        Input Capture        		1
        Query Registry        		Remote Services1
        Input Capture        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Disable or Modify Tools        		LSASS Memory111
        Security Software Discovery        		Remote Desktop Protocol11
        Archive Collected Data        		Exfiltration Over Bluetooth1
        Non-Standard Port        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
        Virtualization/Sandbox Evasion        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Remote Access Software        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
        Process Injection        		NTDS21
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput CaptureScheduled Transfer1
        Non-Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets1
        Application Window Discovery        		SSHKeyloggingData Transfer Size Limits21
        Application Layer Protocol        		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Hidden Files and Directories        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items2
        Obfuscated Files or Information        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job23
        Software Packing        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        INVOICE.exe27%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        INVOICE.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        3.0.INVOICE.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.INVOICE.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.INVOICE.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.INVOICE.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.INVOICE.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.fontbureau.comiona0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        deranano2.ddns.net100%Avira URL Cloudmalware
        http://www.fontbureau.comdiao20%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        deranano2.ddns.net
        		212.193.30.204
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          true
          • Avira URL Cloud: safe
          		low
          deranano2.ddns.nettrue
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.fontbureau.comINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.com/designersGINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bTheINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.tiro.comINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.goodfont.co.krINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comaINVOICE.exe, 00000000.00000002.484971382.00000000005C7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comionaINVOICE.exe, 00000000.00000002.484971382.00000000005C7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/cTheINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comdiao2INVOICE.exe, 00000000.00000002.484971382.00000000005C7000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fonts.comINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sandoll.co.krINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleaseINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sakkal.comINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              212.193.30.204
                              		deranano2.ddns.netRussian Federation
                              		57844SPD-NETTRtrue

                              Private

                              IP
                              192.168.2.1

                              General Information

                              Joe Sandbox Version:34.0.0 Boulder Opal
                              Analysis ID:628640
                              Start date and time: 17/05/202220:28:392022-05-17 20:28:39 +02:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 9m 16s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:INVOICE.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:18
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@3/5@15/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:
                              • Successful, ratio: 0.1% (good quality ratio 0.1%)
                              • Quality average: 42.3%
                              • Quality standard deviation: 32.8%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Adjust boot time
                              • Enable AMSI

                              Warnings

                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                              • TCP Packets have been reduced to 100
                              • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 20.223.24.244
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • VT rate limit hit for: INVOICE.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              20:30:06API Interceptor795x Sleep call for process: INVOICE.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\INVOICE.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1308
                              Entropy (8bit):5.345811588615766
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE8:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHJ
                              MD5:EA78C102145ED608EF0E407B978AF339
                              SHA1:66C9179ED9675B9271A97AB1FC878077E09AB731
                              SHA-256:8BF01E0C445BD07C0B4EDC7199B7E17DAF1CA55CA52D4A6EAC4EF211C2B1A73E
                              SHA-512:8C04139A1FC3C3BDACB680EC443615A43EB18E73B5A0CFCA644CB4A5E71746B275B3E238DD1A5A205405313E457BB75F9BBB93277C67AFA5D78DCFA30E5DA02B
                              Malicious:true
                              Reputation:moderate, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

                              Download File
                              Process:C:\Users\user\Desktop\INVOICE.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):232
                              Entropy (8bit):7.024371743172393
                              Encrypted:false
                              SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                              MD5:32D0AAE13696FF7F8AF33B2D22451028
                              SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                              SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                              SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                              Download File
                              Process:C:\Users\user\Desktop\INVOICE.exe
                              File Type:Non-ISO extended-ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):8
                              Entropy (8bit):3.0
                              Encrypted:false
                              SSDEEP:3:q8l9tn:q8Fn
                              MD5:A8BADF4E8D986108589909B1AE02C207
                              SHA1:80D375744D4B880EE40956B61AB5E7E3B6C696FE
                              SHA-256:B9FE1CD4CAEDEADEAE92F8C70EDA0B0DA99FDCC0DC788157D7B28AE6799AA06F
                              SHA-512:5F1C1FB140D9BA7FF5FD373742A116237C8665ED483FE4950D41F5AB729711162223CAF840879E52E03B51949DB7608039C839EE77FD0A8DD10C2723F0406336
                              Malicious:true
                              Reputation:low
                              Preview:E.Y.~8.H

                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

                              Download File
                              Process:C:\Users\user\Desktop\INVOICE.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):40
                              Entropy (8bit):5.153055907333276
                              Encrypted:false
                              SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                              MD5:4E5E92E2369688041CC82EF9650EDED2
                              SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                              SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                              SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:9iH...}Z.4..f.~a........~.~.......3.U.

                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

                              Download File
                              Process:C:\Users\user\Desktop\INVOICE.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):327432
                              Entropy (8bit):7.99938831605763
                              Encrypted:true
                              SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                              MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                              SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                              SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                              SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                              Malicious:false
                              Preview:pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.935606119244415
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:INVOICE.exe
                              File size:656896
                              MD5:9d58123708f80d79654d981a8b6d9924
                              SHA1:27317b8dbf347408865b071cd40f8c97d1522482
                              SHA256:b9066fabc2944828b98d6f22985038c59a5f6cfb1ae09b2f6b5c89bf87a43c44
                              SHA512:f6b5cfbe894549644337e605513e3d8d517c16a167141eb693033d95ff5c9b95f6a8a72090605dd9817827a5453abc828d7a1ec4088afe019151cbddeed8a2b8
                              SSDEEP:12288:nsWyvNVQClWSEqOPhn/qu09/c3OwKjGes84ChuNtrzMnrj3NcMs0Tve:nsWI7WSEv/ql/mOjZsiuN5z6sQ
                              TLSH:29D4120A709EEB3BC97CB7F95441525013B1B22B3457E32C9ECAE0C75A9BF406685B17
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...og.b..............0......@......V.... ........@.. .......................`............@................................

                              File Icon

                              Icon Hash:64e4d2eeacd6d819

                              Static PE Info

                              General

                              Entrypoint:0x49e356
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0x6283676F [Tue May 17 09:14:23 2022 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v4.0.30319
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add dword ptr [eax], eax
                              add byte ptr [eax], al
                              add al, byte ptr [eax]
                              add byte ptr [eax], al
                              add eax, dword ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              pop ds
                              add byte ptr [eax], al
                              add bh, bh

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x9e3040x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x3c74.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa40000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x9e1cc0x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x9c39c0x9c400False0.9418953125data7.94289795658IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0xa00000x3c740x3e00False0.92244203629data7.6910187968IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xa40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0xa00c80x3832PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                              RT_GROUP_ICON0xa390c0x14data
                              RT_VERSION0xa39300x340data

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyrightChandler's 2022 (C)
                              Assembly Version1.1.0.0
                              InternalNameIObjectRefere.exe
                              FileVersion1.1.0.0
                              CompanyNameChandler's
                              LegalTrademarks
                              Comments
                              ProductNameTemporalToolkit
                              ProductVersion1.1.0.0
                              FileDescription
                              OriginalFilenameIObjectRefere.exe

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              192.168.2.5212.193.30.2044981511872816766 05/17/22-20:31:37.145576TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498151187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044979411872816766 05/17/22-20:30:47.656373TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497941187192.168.2.5212.193.30.204
                              212.193.30.204192.168.2.51187498182841753 05/17/22-20:31:48.726428TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)118749818212.193.30.204192.168.2.5
                              212.193.30.204192.168.2.51187498192841753 05/17/22-20:31:53.756641TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)118749819212.193.30.204192.168.2.5
                              192.168.2.5212.193.30.2044982211872816766 05/17/22-20:31:58.715420TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498221187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044980611872816766 05/17/22-20:31:10.821016TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498061187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044980311872025019 05/17/22-20:31:00.853122TCP2025019ET TROJAN Possible NanoCore C2 60B498031187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044979711872025019 05/17/22-20:30:54.580308TCP2025019ET TROJAN Possible NanoCore C2 60B497971187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044980311872816718 05/17/22-20:31:01.197924TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon498031187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044978711872816766 05/17/22-20:30:40.618852TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497871187192.168.2.5212.193.30.204
                              212.193.30.204192.168.2.51187498222841753 05/17/22-20:32:03.661713TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)118749822212.193.30.204192.168.2.5
                              192.168.2.5212.193.30.2044979711872816766 05/17/22-20:30:55.725499TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497971187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044978711872025019 05/17/22-20:30:38.957783TCP2025019ET TROJAN Possible NanoCore C2 60B497871187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044981611872025019 05/17/22-20:31:42.303773TCP2025019ET TROJAN Possible NanoCore C2 60B498161187192.168.2.5212.193.30.204
                              212.193.30.204192.168.2.51187498122841753 05/17/22-20:31:22.376109TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)118749812212.193.30.204192.168.2.5
                              192.168.2.5212.193.30.2044980611872025019 05/17/22-20:31:07.938867TCP2025019ET TROJAN Possible NanoCore C2 60B498061187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044980911872816766 05/17/22-20:31:17.197289TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498091187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044978111872025019 05/17/22-20:30:31.001024TCP2025019ET TROJAN Possible NanoCore C2 60B497811187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044980911872025019 05/17/22-20:31:15.942780TCP2025019ET TROJAN Possible NanoCore C2 60B498091187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044981211872025019 05/17/22-20:31:22.345784TCP2025019ET TROJAN Possible NanoCore C2 60B498121187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044981911872025019 05/17/22-20:31:53.726213TCP2025019ET TROJAN Possible NanoCore C2 60B498191187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044982211872025019 05/17/22-20:31:58.625380TCP2025019ET TROJAN Possible NanoCore C2 60B498221187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044979411872025019 05/17/22-20:30:46.018194TCP2025019ET TROJAN Possible NanoCore C2 60B497941187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044981511872025019 05/17/22-20:31:36.233314TCP2025019ET TROJAN Possible NanoCore C2 60B498151187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044981611872816766 05/17/22-20:31:43.265162TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498161187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044977211872816766 05/17/22-20:30:24.595254TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497721187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044981311872025019 05/17/22-20:31:29.263030TCP2025019ET TROJAN Possible NanoCore C2 60B498131187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044981811872025019 05/17/22-20:31:48.698744TCP2025019ET TROJAN Possible NanoCore C2 60B498181187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044981311872816766 05/17/22-20:31:31.058415TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498131187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044977211872025019 05/17/22-20:30:22.925084TCP2025019ET TROJAN Possible NanoCore C2 60B497721187192.168.2.5212.193.30.204
                              192.168.2.5212.193.30.2044978111872816766 05/17/22-20:30:33.613252TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497811187192.168.2.5212.193.30.204
                              212.193.30.204192.168.2.51187497942810290 05/17/22-20:30:47.256191TCP2810290ETPRO TROJAN NanoCore RAT Keepalive Response 1118749794212.193.30.204192.168.2.5
                              192.168.2.5212.193.30.2044980311872816766 05/17/22-20:31:02.293623TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498031187192.168.2.5212.193.30.204

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 17, 2022 20:30:22.785531044 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:22.812949896 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:22.813136101 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:22.925084114 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:22.968403101 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:22.978699923 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.006140947 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.148186922 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.257045984 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.332336903 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.373541117 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.373573065 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.373589993 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.373610973 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.373697042 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.400897980 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.400927067 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.400942087 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.400959015 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.400975943 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.400989056 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.400991917 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.401010990 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.401016951 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.401030064 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.401040077 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.401334047 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.427997112 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428025007 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428041935 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428057909 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428075075 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428091049 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428100109 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.428107977 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428128004 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428144932 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428148985 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.428163052 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428167105 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.428180933 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428198099 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428214073 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.428215027 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428234100 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428236008 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.428251982 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428272009 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.428286076 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.428317070 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.455166101 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455198050 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455214977 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455231905 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455249071 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455265045 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455281973 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455298901 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455317020 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455332994 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455348969 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455365896 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455383062 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455399036 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455415964 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455431938 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455450058 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455467939 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455485106 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455502033 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455518961 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455534935 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455550909 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455566883 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455584049 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455601931 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455617905 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455634117 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455650091 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455666065 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455682039 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455698967 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.455773115 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.455830097 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.483926058 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.483972073 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.484000921 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.484030008 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.484041929 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.484057903 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.484086990 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.484095097 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.484117031 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.484143019 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.484144926 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.484170914 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.484198093 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.484224081 CEST497721187192.168.2.5212.193.30.204
                              May 17, 2022 20:30:23.484225988 CEST118749772212.193.30.204192.168.2.5
                              May 17, 2022 20:30:23.484257936 CEST118749772212.193.30.204192.168.2.5

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 17, 2022 20:30:22.744570971 CEST5432253192.168.2.58.8.8.8
                              May 17, 2022 20:30:22.764415979 CEST53543228.8.8.8192.168.2.5
                              May 17, 2022 20:30:30.888555050 CEST6318753192.168.2.58.8.8.8
                              May 17, 2022 20:30:30.910044909 CEST53631878.8.8.8192.168.2.5
                              May 17, 2022 20:30:38.901221037 CEST6194153192.168.2.58.8.8.8
                              May 17, 2022 20:30:38.922380924 CEST53619418.8.8.8192.168.2.5
                              May 17, 2022 20:30:45.969238997 CEST6324153192.168.2.58.8.8.8
                              May 17, 2022 20:30:45.988259077 CEST53632418.8.8.8192.168.2.5
                              May 17, 2022 20:30:54.377773046 CEST5780953192.168.2.58.8.8.8
                              May 17, 2022 20:30:54.399000883 CEST53578098.8.8.8192.168.2.5
                              May 17, 2022 20:31:00.802875042 CEST6268053192.168.2.58.8.8.8
                              May 17, 2022 20:31:00.823893070 CEST53626808.8.8.8192.168.2.5
                              May 17, 2022 20:31:07.682859898 CEST4991253192.168.2.58.8.8.8
                              May 17, 2022 20:31:07.700628042 CEST53499128.8.8.8192.168.2.5
                              May 17, 2022 20:31:15.894793987 CEST5799053192.168.2.58.8.8.8
                              May 17, 2022 20:31:15.914181948 CEST53579908.8.8.8192.168.2.5
                              May 17, 2022 20:31:22.294926882 CEST5446353192.168.2.58.8.8.8
                              May 17, 2022 20:31:22.315357924 CEST53544638.8.8.8192.168.2.5
                              May 17, 2022 20:31:29.212796926 CEST6371853192.168.2.58.8.8.8
                              May 17, 2022 20:31:29.232027054 CEST53637188.8.8.8192.168.2.5
                              May 17, 2022 20:31:36.179580927 CEST6112653192.168.2.58.8.8.8
                              May 17, 2022 20:31:36.196830034 CEST53611268.8.8.8192.168.2.5
                              May 17, 2022 20:31:42.240658998 CEST5415253192.168.2.58.8.8.8
                              May 17, 2022 20:31:42.261655092 CEST53541528.8.8.8192.168.2.5
                              May 17, 2022 20:31:48.642363071 CEST5319453192.168.2.58.8.8.8
                              May 17, 2022 20:31:48.660270929 CEST53531948.8.8.8192.168.2.5
                              May 17, 2022 20:31:53.676034927 CEST5039353192.168.2.58.8.8.8
                              May 17, 2022 20:31:53.695802927 CEST53503938.8.8.8192.168.2.5
                              May 17, 2022 20:31:58.573787928 CEST6145853192.168.2.58.8.8.8
                              May 17, 2022 20:31:58.593518019 CEST53614588.8.8.8192.168.2.5

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              May 17, 2022 20:30:22.744570971 CEST192.168.2.58.8.8.80x262eStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:30:30.888555050 CEST192.168.2.58.8.8.80xff17Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:30:38.901221037 CEST192.168.2.58.8.8.80x2997Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:30:45.969238997 CEST192.168.2.58.8.8.80xb8efStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:30:54.377773046 CEST192.168.2.58.8.8.80x40ddStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:31:00.802875042 CEST192.168.2.58.8.8.80xd7d7Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:31:07.682859898 CEST192.168.2.58.8.8.80xb849Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:31:15.894793987 CEST192.168.2.58.8.8.80x9ea0Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:31:22.294926882 CEST192.168.2.58.8.8.80xf974Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:31:29.212796926 CEST192.168.2.58.8.8.80xf8e0Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:31:36.179580927 CEST192.168.2.58.8.8.80xd91bStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:31:42.240658998 CEST192.168.2.58.8.8.80xf075Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:31:48.642363071 CEST192.168.2.58.8.8.80x4878Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:31:53.676034927 CEST192.168.2.58.8.8.80xa5d3Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                              May 17, 2022 20:31:58.573787928 CEST192.168.2.58.8.8.80xe914Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              May 17, 2022 20:30:22.764415979 CEST8.8.8.8192.168.2.50x262eNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:30:30.910044909 CEST8.8.8.8192.168.2.50xff17No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:30:38.922380924 CEST8.8.8.8192.168.2.50x2997No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:30:45.988259077 CEST8.8.8.8192.168.2.50xb8efNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:30:54.399000883 CEST8.8.8.8192.168.2.50x40ddNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:31:00.823893070 CEST8.8.8.8192.168.2.50xd7d7No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:31:07.700628042 CEST8.8.8.8192.168.2.50xb849No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:31:15.914181948 CEST8.8.8.8192.168.2.50x9ea0No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:31:22.315357924 CEST8.8.8.8192.168.2.50xf974No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:31:29.232027054 CEST8.8.8.8192.168.2.50xf8e0No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:31:36.196830034 CEST8.8.8.8192.168.2.50xd91bNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:31:42.261655092 CEST8.8.8.8192.168.2.50xf075No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:31:48.660270929 CEST8.8.8.8192.168.2.50x4878No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:31:53.695802927 CEST8.8.8.8192.168.2.50xa5d3No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                              May 17, 2022 20:31:58.593518019 CEST8.8.8.8192.168.2.50xe914No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:20:29:53
                              Start date:17/05/2022
                              Path:C:\Users\user\Desktop\INVOICE.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\INVOICE.exe"
                              Imagebase:0x3d0000
                              File size:656896 bytes
                              MD5 hash:9D58123708F80D79654D981A8B6D9924
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.489522906.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.495513796.0000000007300000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              General

                              Target ID:3
                              Start time:20:30:14
                              Start date:17/05/2022
                              Path:C:\Users\user\Desktop\INVOICE.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\INVOICE.exe
                              Imagebase:0xb40000
                              File size:656896 bytes
                              MD5 hash:9D58123708F80D79654D981A8B6D9924
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Disassembly

                              No disassembly