Analysis Report d4e475d7d17a16be8b9eeac6e10b25af

Overview

General Information

Sample Name:	d4e475d7d17a16be8b9eeac6e10b25af (renamed file extension from none to exe)
Analysis ID:	320928
MD5:	5162337b6fd4c8806ef62f6ebf4a5df8
SHA1:	126642db1117de853d7e0ae601e0ff45358d7413
SHA256:	9c2e4a4a0e7bb4c3c47ca33ec0d0c377fa38e0ae498721062432648ebf060a10
Tags:	NanoCore
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

AutoIt script contains suspicious strings

Binary is likely a compiled AutoIt script file

Contains functionality to inject code into remote processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Uses dynamic DNS services

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: d4e475d7d17a16be8b9eeac6e10b25af.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Avira: detection malicious, Label: HEUR/AGEN.1100084

Found malware configuration

Source: RegAsm.exe.4332.3.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for submitted file

Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Virustotal: Detection: 66%	Perma Link
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Metadefender: Detection: 37%	Perma Link
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	ReversingLabs: Detection: 70%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORY
Source: Yara match	File source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORY
Source: Yara match	File source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_00424696 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00424696
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_00423D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00423D4E
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_004245C1 FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,	2_2_004245C1
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_0042C93C FindFirstFileW,FindClose,	2_2_0042C93C
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_0042C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	2_2_0042C9C7
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_0042F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0042F200
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_0042F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0042F35D
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_0042F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_0042F65E
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_00423A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00423A2B
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_0042BF27 FindFirstFileW,FindNextFileW,FindClose,	2_2_0042BF27

Networking:

Uses dynamic DNS services

Source: unknown

DNS query: name: windowslivesoffice.ddns.net

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Code function: 2_2_004325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

2_2_004325E2

Source: unknown

DNS traffic detected: queries for: windowslivesoffice.ddns.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Code function: 2_2_0043425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

2_2_0043425A

Contains functionality to read the clipboard data

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

2_2_0043425A

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Code function: 2_2_00420219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

2_2_00420219

Installs a raw input device (often for capturing keystrokes)

Source: RegAsm.exe, 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Potential key logger detected (key state polling based)

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Code function: 2_2_0044CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

2_2_0044CDAC

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORY
Source: Yara match	File source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORY
Source: Yara match	File source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

AutoIt script contains suspicious strings

Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	AutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	AutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	AutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	AutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH

Binary is likely a compiled AutoIt script file

Source: d4e475d7d17a16be8b9eeac6e10b25af.exe, 00000000.00000000.204952653.00000000009A5000.00000002.00020000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe, 00000000.00000000.204952653.00000000009A5000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: This is a third-party compiled AutoIt script.	2_2_003C3B4C
Source: DiagnosticsHub.StandardCollector.Service.exe.bat	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: DiagnosticsHub.StandardCollector.Service.exe.bat, 00000002.00000002.255961401.0000000000475000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Contains functionality to communicate with device drivers

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Code function: 2_2_00424021: CreateFileW,DeviceIoControl,CloseHandle,

2_2_00424021

Contains functionality to launch a process as a different user

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Code function: 2_2_00418858 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

2_2_00418858

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Code function: 2_2_0042545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

2_2_0042545F

Detected potential crypto function

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003E33C7	2_2_003E33C7
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003CFE40	2_2_003CFE40
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003E2405	2_2_003E2405
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003D44B6	2_2_003D44B6
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_00440665	2_2_00440665
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003F267E	2_2_003F267E
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003E283A	2_2_003E283A
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003D6843	2_2_003D6843
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003F89DF	2_2_003F89DF
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_00440AE2	2_2_00440AE2
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003F6A94	2_2_003F6A94
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_00428B13	2_2_00428B13
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003ECD61	2_2_003ECD61
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003F7006	2_2_003F7006
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003D710E	2_2_003D710E
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003D3190	2_2_003D3190
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003C1287	2_2_003C1287
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003EF419	2_2_003EF419
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003E16C4	2_2_003E16C4
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003E1BB8	2_2_003E1BB8
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003F9D05	2_2_003F9D05
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003EBFE6	2_2_003EBFE6
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003E1FD0	2_2_003E1FD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_02FA2FA8	3_2_02FA2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_02FA23A0	3_2_02FA23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_02FA3850	3_2_02FA3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 3_2_02FA306F	3_2_02FA306F

Found potential string decryption / allocating functions

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: String function: 003C7F41 appears 35 times
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: String function: 003E8B40 appears 42 times
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: String function: 003E0D27 appears 70 times

PE file contains strange resources

Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior

Yara signature match

Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.209839006.00000000010BD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.254683276.0000000001181000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.209991404.00000000010E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.209808084.0000000001147000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.209532145.0000000001114000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.231856687.000000000112F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.230915051.0000000001129000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.231281467.0000000001180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.230856862.00000000011B4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.254526561.00000000011E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.254613953.00000000011B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.254797061.0000000000F9F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.231188805.0000000001154000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.210637735.000000000106B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.232736755.0000000000E62000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.231305365.0000000001181000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.231549555.00000000010FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.250595233.0000000003451000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.210116902.00000000010E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.210229940.0000000001114000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000003.231711637.00000000010FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 5944, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 4332, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: d4e475d7d17a16be8b9eeac6e10b25af.exe PID: 576, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/7@8/2

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Code function: 2_2_0042A2D5 GetLastError,FormatMessageW,

2_2_0042A2D5

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_00418713 AdjustTokenPrivileges,CloseHandle,		2_2_00418713
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_00418CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		2_2_00418CC3

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Code function: 2_2_0042B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

2_2_0042B59E

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Code function: 2_2_00423E91 PeekMessageW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

2_2_00423E91

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Code function: 2_2_0042C602 CoInitialize,CoCreateInstance,CoUninitialize,

2_2_0042C602

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat

Code function: 2_2_003C4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

2_2_003C4FE9

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Program Files (x86)\DHCP Monitor

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ebebb95b-836f-4d8b-92f1-dafac3cec9d8}

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe 'C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: unknown	Process created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat 'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior

Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	Static PE information: real checksum: 0xeeb70 should be: 0x11e6ba
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Static PE information: real checksum: 0xeeb70 should be: 0x1228ef

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003D43B7 push edi; ret	2_2_003D43B9
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003D43CB push edi; ret	2_2_003D43CD
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003CC590 push eax; retn 003Ch	2_2_003CC599
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003E8B85 push ecx; ret	2_2_003E8B98
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_04CB0007 push cs; retf	7_2_04CB001E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_04CB00B9 push ds; iretd	7_2_04CB00BA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_04CB001F push ds; iretd	7_2_04CB006A

Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.3.d4e475d7d17a16be8b9eeac6e10b25af.exe.38e0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.3.DiagnosticsHub.StandardCollector.Service.exe.bat.e60000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe	File created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		2_2_003C4A35
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_004455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		2_2_004455FD

Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe	Window / User API: threadDelayed 7081	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: threadDelayed 994	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: threadDelayed 642	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window / User API: foregroundWindowGot 813	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Window / User API: threadDelayed 502	Jump to behavior

Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe TID: 2412	Thread sleep count: 7081 > 30	Jump to behavior
Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe TID: 2412	Thread sleep time: -70810s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5892	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5888	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat TID: 5072	Thread sleep count: 502 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe	Code function: 0_3_038D00BE mov esi, dword ptr fs:[00000030h]	0_3_038D00BE
Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe	Code function: 0_3_038D00BE mov esi, dword ptr fs:[00000030h]	0_3_038D00BE
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_3_00E300BE mov esi, dword ptr fs:[00000030h]	2_3_00E300BE
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_3_00E300BE mov esi, dword ptr fs:[00000030h]	2_3_00E300BE

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003EA364 SetUnhandledExceptionFilter,		2_2_003EA364
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_003EA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_003EA395

Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 protect: page execute and read and write			Jump to behavior

Source: C:\Users\user\Desktop\d4e475d7d17a16be8b9eeac6e10b25af.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 value starts with: 4D5A			Jump to behavior

Analysis Report d4e475d7d17a16be8b9eeac6e10b25af

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: DiagnosticsHub.StandardCollector.Service.exe.bat	Binary or memory string: Shell_TrayWnd

Source: DiagnosticsHub.StandardCollector.Service.exe.bat	Binary or memory string: WIN_81
Source: DiagnosticsHub.StandardCollector.Service.exe.bat	Binary or memory string: WIN_XP
Source: DiagnosticsHub.StandardCollector.Service.exe.bat	Binary or memory string: WIN_XPe
Source: DiagnosticsHub.StandardCollector.Service.exe.bat	Binary or memory string: WIN_VISTA
Source: DiagnosticsHub.StandardCollector.Service.exe.bat	Binary or memory string: WIN_7
Source: DiagnosticsHub.StandardCollector.Service.exe.bat	Binary or memory string: WIN_8
Source: d4e475d7d17a16be8b9eeac6e10b25af.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: d4e475d7d17a16be8b9eeac6e10b25af.exe, 00000000.00000003.211542928.00000000038E2000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: DiagnosticsHub.StandardCollector.Service.exe.bat, 00000002.00000003.255242846.0000000000FA4000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000003.00000002.249609796.0000000000402000.00000020.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000003.00000002.250629843.0000000004451000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_00436596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		2_2_00436596
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 2_2_00436A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		2_2_00436A5A

ID:	320928
Product:	CloudBasic
Start time:	07:23:08
Start date:	20.11.2020
Sample:	d4e475d7d17a16be8b9eeac6e10b25af
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5162337b6fd4c8806ef62f6ebf4a5df8
SHA1:	126642db1117de853d7e0ae601e0ff45358d7413
SHA256:	9c2e4a4a0e7bb4c3c47ca33ec0d0c377fa38e0ae498721062432648ebf060a10
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	529695608EAFBED00ACA9E61EF333A7C	68CA8B6D8E74FA4F4EE603EB862E36F2A73BC1E5	44F129DE312409D8A2DF55F655695E1D48D0DB6F20C5C7803EB0032D8E6B53D0
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log	ASCII text, with CRLF line terminators	61CCF53571C9ABA6511D696CB0D32E45	A13A42A20EC14942F52DB20FB16A0A520F8183CE	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log	ASCII text, with CRLF line terminators	B3AC9D09E3A47D5FD00C37E075A70ECB	AD14E6D0E07B00BD10D77A06D68841B20675680B	7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	data	C8C55F14E620A40AF72BA9FB954B53B7	26204CA80EDC41FE334D14B13D7D362ED1BDB63A	B31C3E533C19283D0E1C6293836D503DCB4D849FA80406E8BA9B2F93069EA3D3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 20 14:23:58 2020, mtime=Fri Nov 20 14:23:58 2020, atime=Fri Nov 20 14:23:58 2020, length=1124928, window=hide	9605AC37B3F6DE1696D5748CEF890D4F	6EA4664E24A6B40707294E0C2C94FF0D3D29E873	2E6D3FF6EE73345692DEE4CA6BDCC2654876AB71A228E3C1E7B3108C08E2D22F
C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	PE32 executable (GUI) Intel 80386, for MS Windows	F660ED54597E4FF5354B557329CAB70D	6222B1BD8920FA8FAD0507278E563E1736EBC257	B242D6C625537AC1CF52752A1997C035063C8E4B5648C41D443A2926F7C599E5
\Device\ConDrv	ASCII text, with CRLF line terminators	367EEEC425FE7E80B723298C447E2F22	3873DFC88AF504FF79231FE2BF0E3CD93CE45195	481A7A3CA0DD32DA4772718BA4C1EF3F01E8D184FE82CF6E9C5386FD343264BC