Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New PO 64739 (UK).exe

Overview

General Information

Sample Name:New PO 64739 (UK).exe
Analysis ID:323002
MD5:b6babb0d3661cd172c93c496dc4c1db1
SHA1:de2db850207d77611f557a060681f2c2a19ae1ef
SHA256:bca89f6ecbf4dfde0cc003b96f907ae1ab9b33a64650836d547d07291a059e86
Tags:NanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • New PO 64739 (UK).exe (PID: 1308 cmdline: 'C:\Users\user\Desktop\New PO 64739 (UK).exe' MD5: B6BABB0D3661CD172C93C496DC4C1DB1)
    • schtasks.exe (PID: 5904 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 6016 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.207"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.509333754.0000000003F73000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x15f1:$a: NanoCore
      • 0x164a:$a: NanoCore
      • 0x1687:$a: NanoCore
      • 0x1700:$a: NanoCore
      • 0x14dab:$a: NanoCore
      • 0x14dc0:$a: NanoCore
      • 0x14df5:$a: NanoCore
      • 0x22a0a:$a: NanoCore
      • 0x22a2f:$a: NanoCore
      • 0x22a88:$a: NanoCore
      • 0x32c25:$a: NanoCore
      • 0x32c4b:$a: NanoCore
      • 0x32ca7:$a: NanoCore
      • 0x3fafc:$a: NanoCore
      • 0x3fb55:$a: NanoCore
      • 0x3fb88:$a: NanoCore
      • 0x3fdb4:$a: NanoCore
      • 0x3fe30:$a: NanoCore
      • 0x40449:$a: NanoCore
      • 0x40592:$a: NanoCore
      • 0x40a66:$a: NanoCore
      00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 23 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.MSBuild.exe.55c0000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        4.2.MSBuild.exe.55c0000.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        4.2.MSBuild.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        4.2.MSBuild.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        4.2.MSBuild.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6016, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\New PO 64739 (UK).exe' , ParentImage: C:\Users\user\Desktop\New PO 64739 (UK).exe, ParentProcessId: 1308, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp', ProcessId: 5904

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: MSBuild.exe.6016.4.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.207"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000004.00000002.509333754.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.505217823.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORY
          Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 4.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49696 -> 185.140.53.207:2121
          Source: global trafficTCP traffic: 192.168.2.5:49696 -> 185.140.53.207:2121
          Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.207
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
          Source: New PO 64739 (UK).exe, 00000000.00000002.264745155.00000000016F8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000004.00000002.509333754.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.505217823.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORY
          Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.509509822.00000000047EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.505295151.0000000002F8C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.510056845.0000000004A34000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.509942877.00000000049FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.512849217.00000000055C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 4.2.MSBuild.exe.55c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_0329015C NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03290152 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03290BB0 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03290480
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03290968
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03290ED8
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03297D68
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_0329C7C0
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03290470
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03290958
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03290EC8
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_03297D59
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A1CE78
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A1C510
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A10006
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A10040
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A169D3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_053BE471
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_053BE480
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_053BBBD4
          Source: New PO 64739 (UK).exeBinary or memory string: OriginalFilename vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exe, 00000000.00000000.236804694.0000000000F42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameD0I8.exeP vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exe, 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exe, 00000000.00000002.274713965.0000000006FF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exe, 00000000.00000002.274836383.00000000070F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exe, 00000000.00000002.274836383.00000000070F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exe, 00000000.00000002.264745155.00000000016F8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New PO 64739 (UK).exe
          Source: New PO 64739 (UK).exeBinary or memory string: OriginalFilenameD0I8.exeP vs New PO 64739 (UK).exe
          Source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.509509822.00000000047EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.505295151.0000000002F8C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.510056845.0000000004A34000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.509942877.00000000049FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.512849217.00000000055C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.512849217.00000000055C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.MSBuild.exe.55c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.MSBuild.exe.55c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile created: C:\Users\user\AppData\Roaming\TqGgKBQek.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_01
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMutant created: \Sessions\1\BaseNamedObjects\rkIHgZ
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{34118051-8385-43c4-bed1-aa9e16db604f}
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile created: C:\Users\user\AppData\Local\Temp\tmpE3F1.tmpJump to behavior
          Source: New PO 64739 (UK).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile read: C:\Users\user\Desktop\New PO 64739 (UK).exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\New PO 64739 (UK).exe 'C:\Users\user\Desktop\New PO 64739 (UK).exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp'
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: New PO 64739 (UK).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: New PO 64739 (UK).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 00000004.00000002.509509822.00000000047EE000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_00F45AF4 push ss; iretd
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A15243 push eax; iretd
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A15E5E push es; ret
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A15F62 push es; retf
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A15F51 push es; retf
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A14CA2 push ecx; iretd
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeCode function: 0_2_06A15C7D push es; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.26752340009
          Source: initial sampleStatic PE information: section name: .text entropy: 7.26752340009
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile created: C:\Users\user\AppData\Roaming\TqGgKBQek.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp'
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265117190.0000000003390000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2929
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 6616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 612
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 797
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exe TID: 1748Thread sleep time: -50584s >= -30000s
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exe TID: 3056Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exe TID: 1688Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4624Thread sleep time: -16602069666338586s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: MSBuild.exe, 00000004.00000002.504816638.000000000134C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
          Source: New PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C43008
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp'
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: MSBuild.exe, 00000004.00000002.509159099.0000000003583000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: MSBuild.exe, 00000004.00000002.505036371.0000000001920000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: MSBuild.exe, 00000004.00000002.505036371.0000000001920000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: MSBuild.exe, 00000004.00000002.505036371.0000000001920000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: MSBuild.exe, 00000004.00000002.505036371.0000000001920000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: MSBuild.exe, 00000004.00000002.505036371.0000000001920000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: MSBuild.exe, 00000004.00000002.505295151.0000000002F8C000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeQueries volume information: C:\Users\user\Desktop\New PO 64739 (UK).exe VolumeInformation
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\New PO 64739 (UK).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000004.00000002.509333754.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.505217823.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORY
          Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: New PO 64739 (UK).exe, 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: MSBuild.exe, 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000004.00000002.509333754.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.505217823.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New PO 64739 (UK).exe PID: 1308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6016, type: MEMORY
          Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection212Masquerading1Input Capture21Security Software Discovery121Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNew PO 64739 (UK).exe, 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmpfalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            185.140.53.207
            		unknownSweden
            		209623DAVID_CRAIGGGtrue

            General Information

            Joe Sandbox Version:31.0.0 Red Diamond
            Analysis ID:323002
            Start date:26.11.2020
            Start time:07:56:59
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 54s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:New PO 64739 (UK).exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:15
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@6/8@0/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 1.6% (good quality ratio 1.3%)
            • Quality average: 52.8%
            • Quality standard deviation: 32.9%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • TCP Packets have been reduced to 100
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 104.43.193.48, 40.88.32.150, 92.122.144.200, 13.88.21.125, 2.20.142.209, 2.20.142.210
            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/323002/sample/New PO 64739 (UK).exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            07:58:00API Interceptor1x Sleep call for process: New PO 64739 (UK).exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            185.140.53.207DHL ShipmentDHL Shipment 237590.pdf.exeGet hashmaliciousBrowse
              Doc_AWB#5305323204643_UPS.pdf.exeGet hashmaliciousBrowse
                irs Doc Attached.exeGet hashmaliciousBrowse

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  DAVID_CRAIGGG90987948.exeGet hashmaliciousBrowse
                  • 185.244.30.223
                  tzjEwwwbqK.exeGet hashmaliciousBrowse
                  • 185.140.53.149
                  PO456789.exeGet hashmaliciousBrowse
                  • 185.244.30.212
                  kelvinx.exeGet hashmaliciousBrowse
                  • 185.140.53.132
                  Order-2311.exeGet hashmaliciousBrowse
                  • 91.193.75.147
                  YZD221120.exeGet hashmaliciousBrowse
                  • 91.193.75.147
                  ORDER #201120A.exeGet hashmaliciousBrowse
                  • 185.244.30.92
                  oUI0jQS8xQ.exeGet hashmaliciousBrowse
                  • 185.140.53.149
                  Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                  • 185.140.53.139
                  Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                  • 185.140.53.139
                  Ups file de.exeGet hashmaliciousBrowse
                  • 185.140.53.221
                  NyUnwsFSCa.exeGet hashmaliciousBrowse
                  • 185.140.53.149
                  purchase order.exeGet hashmaliciousBrowse
                  • 185.140.53.233
                  Remittance Details.xlsGet hashmaliciousBrowse
                  • 185.140.53.184
                  PaymentConfirmation.exeGet hashmaliciousBrowse
                  • 185.140.53.183
                  ORDER #02676.doc.exeGet hashmaliciousBrowse
                  • 185.244.30.92
                  b11305c6ab207f830062f80eeec728c4.exeGet hashmaliciousBrowse
                  • 185.140.53.233
                  ShippingDoc.jarGet hashmaliciousBrowse
                  • 185.244.30.139
                  1kn1ejwPxi.exeGet hashmaliciousBrowse
                  • 185.140.53.132
                  D6vy84I7rJ.exeGet hashmaliciousBrowse
                  • 185.140.53.149

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New PO 64739 (UK).exe.log
                  Process:C:\Users\user\Desktop\New PO 64739 (UK).exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):1314
                  Entropy (8bit):5.350128552078965
                  Encrypted:false
                  SSDEEP:24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHR
                  MD5:8198C64CE0786EABD4C792E7E6FC30E5
                  SHA1:71E1676126F4616B18C751A0A775B2D64944A15A
                  SHA-256:C58018934011086A883D1D56B21F6C1916B1CD83206ADD1865C9BDD29DADCBC4
                  SHA-512:EE293C0F88A12AB10041F66DDFAE89BC11AB3B3AAD8604F1A418ABE43DF0980245C3B7F8FEB709AEE8E9474841A280E073EC063045EA39948E853AA6B4EC0FB0
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                  C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp
                  Process:C:\Users\user\Desktop\New PO 64739 (UK).exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1646
                  Entropy (8bit):5.175965126269107
                  Encrypted:false
                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBUtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3Q
                  MD5:40116A05B516A07CF1C194259F56F2D2
                  SHA1:8A86389C92C0A7C9E6CF5467E15CFF7BC9750142
                  SHA-256:F7BCDA8DF5E89517F99B4E4AC8CD5FAF36A9AEEB5B39DDAF753AADFD7FEDAC69
                  SHA-512:4A9ED1686A93C54A5B3BB3193FEAF1EC322760876EB0A210A9D8734B886A7A7AEFD657B750271C5966CDFB98358D01730385ED5653994BE39685CD2BA992B8EA
                  Malicious:true
                  Reputation:low
                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):232
                  Entropy (8bit):7.024371743172393
                  Encrypted:false
                  SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                  MD5:32D0AAE13696FF7F8AF33B2D22451028
                  SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                  SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                  SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                  Malicious:false
                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8
                  Entropy (8bit):3.0
                  Encrypted:false
                  SSDEEP:3:fLNt:fLNt
                  MD5:78D38F5EA0447F24368720C617A73787
                  SHA1:40D69D1741E9DFCE88591F7D9E536742746EB82D
                  SHA-256:5BF50106AF31E263A4E0286B8B0B3E2ACCAA5BFFF07418A5756C632FE62748D8
                  SHA-512:17192164B2C28B723F1187071B737B97C780F9CB3424CDFCEB063FEA1F38BD3377F3424F8AA3B9A1F4F0090A95D45084A6F1306DEB1BAEDA453C4D7978690343
                  Malicious:true
                  Preview: W...$..H
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):40
                  Entropy (8bit):5.153055907333276
                  Encrypted:false
                  SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                  MD5:4E5E92E2369688041CC82EF9650EDED2
                  SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                  SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                  SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                  Malicious:false
                  Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):327432
                  Entropy (8bit):7.99938831605763
                  Encrypted:true
                  SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                  MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                  SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                  SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                  SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                  Malicious:false
                  Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                  C:\Users\user\AppData\Roaming\TqGgKBQek.exe
                  Process:C:\Users\user\Desktop\New PO 64739 (UK).exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):936960
                  Entropy (8bit):7.261816231890523
                  Encrypted:false
                  SSDEEP:12288:zpH4EQ1NXT5zPvEzOh3CqA5vLs1R5eyZIHCJL4SI571xTXcsPPQk3LPf0TzAH8Uh:zpH4EQj5LvEKoq+vk2y6iJL4/ZcoPQa
                  MD5:B6BABB0D3661CD172C93C496DC4C1DB1
                  SHA1:DE2DB850207D77611F557A060681F2C2A19AE1EF
                  SHA-256:BCA89F6ECBF4DFDE0CC003B96F907AE1AB9B33A64650836D547D07291A059E86
                  SHA-512:45DCE5171772DB72BF71FC72DAB6FEDA73995E7009F6B0BB74B2F25D6A5E23284C06C167505D56C79C6334A6E14E2B44B3117A4207F4396D4F71F01B1381CE91
                  Malicious:false
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P..@..........^_... ...`....@.. ....................................@.................................._..W....`............................................................................... ............... ..H............text...d?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............J..............@..B................@_......H..................1....r...i...........................................0..........(....*...0..X.......r...p. .u.. ..A.a%...^E........a...........................Q.......8....r...p(..... ..Z ..B.a+..(....(....r...p(....,. .i..%+. .1.%&. ]...Za8w...(..... ..}.8g....r...p(....(....,. z-..%+. >1..%&. ".@.Za89....-. ...m%+. <..?%&. ..HZa8.....(.... .Ej.8...........s....(....%.(.....(.... . -.8.....r;..p(....(....-. ..X.%+. ....%&. ...Za8....*.0...............('...*..0..y...
                  C:\Users\user\AppData\Roaming\TqGgKBQek.exe:Zone.Identifier
                  Process:C:\Users\user\Desktop\New PO 64739 (UK).exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:false
                  Preview: [ZoneTransfer]....ZoneId=0

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.261816231890523
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:New PO 64739 (UK).exe
                  File size:936960
                  MD5:b6babb0d3661cd172c93c496dc4c1db1
                  SHA1:de2db850207d77611f557a060681f2c2a19ae1ef
                  SHA256:bca89f6ecbf4dfde0cc003b96f907ae1ab9b33a64650836d547d07291a059e86
                  SHA512:45dce5171772db72bf71fc72dab6feda73995e7009f6b0bb74b2f25d6a5e23284c06c167505d56c79c6334a6e14e2b44b3117a4207f4396d4f71f01b1381ce91
                  SSDEEP:12288:zpH4EQ1NXT5zPvEzOh3CqA5vLs1R5eyZIHCJL4SI571xTXcsPPQk3LPf0TzAH8Uh:zpH4EQj5LvEKoq+vk2y6iJL4/ZcoPQa
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P..@..........^_... ...`....@.. ....................................@................................

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x4e5f5e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Time Stamp:0x5FBF0D88 [Thu Nov 26 02:06:00 2020 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v4.0.30319
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add al, byte ptr [eax]
                  adc byte ptr [eax], al
                  add byte ptr [eax], al
                  and byte ptr [eax], al
                  add byte ptr [eax+00000018h], al
                  push eax
                  add byte ptr [eax], al
                  add byte ptr [eax], 00000000h
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xe5f040x57.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe60000x610.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe80000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xe3f640xe4000False0.677923905222data7.26752340009IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0xe60000x6100x800False0.33203125data3.44745876984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xe80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_VERSION0xe60a00x380data
                  RT_MANIFEST0xe64200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Version Infos

                  DescriptionData
                  Translation0x0000 0x04b0
                  LegalCopyrightCopyright Hewlett-Packard 2017
                  Assembly Version1.0.0.0
                  InternalNameD0I8.exe
                  FileVersion1.0.0.0
                  CompanyNameHewlett-Packard
                  LegalTrademarks
                  Comments
                  ProductNameArizona Lottery Numbers
                  ProductVersion1.0.0.0
                  FileDescriptionArizona Lottery Numbers
                  OriginalFilenameD0I8.exe

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  11/26/20-07:58:09.962435TCP2025019ET TROJAN Possible NanoCore C2 60B496962121192.168.2.5185.140.53.207

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 26, 2020 07:58:09.412566900 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:09.600203037 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:09.601804018 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:09.962435007 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:10.194097042 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:10.194221973 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:10.330408096 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:10.374310017 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:10.474917889 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:10.476288080 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:10.672211885 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:10.730436087 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:11.590236902 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:11.832217932 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.900038004 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.911977053 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.912074089 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:11.923166990 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.949445963 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.949527025 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:11.957570076 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.958695889 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.958776951 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:11.963496923 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.977087975 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.977183104 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:11.984600067 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.986860991 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:11.986922979 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.133230925 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.140045881 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.140134096 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.142187119 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.150316954 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.150433064 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.158349037 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.180748940 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.180825949 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.184549093 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.188622952 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.188694954 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.192312002 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.196543932 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.196631908 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.216207027 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.220406055 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.220484972 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.227711916 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.240216970 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.240300894 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.248502970 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.252180099 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.252219915 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.252269030 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.256283998 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.256361961 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.262342930 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.268275023 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.268388987 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.318229914 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.324033022 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.324158907 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.330143929 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.334355116 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.334450960 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.340353012 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.346663952 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.346822977 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.350425959 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.354381084 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.354475021 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.380394936 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.400417089 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.400449991 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.400563955 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.408484936 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.408616066 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.412388086 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.412720919 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.412800074 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.414218903 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.434391975 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.434525013 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.438570023 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.442373991 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.442477942 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.442569971 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.448462009 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.448563099 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.450156927 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.456665039 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.456789970 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.478627920 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.478655100 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.478744984 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.486334085 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.486361980 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.486494064 CET496962121192.168.2.5185.140.53.207
                  Nov 26, 2020 07:58:12.488359928 CET212149696185.140.53.207192.168.2.5
                  Nov 26, 2020 07:58:12.510396957 CET212149696185.140.53.207192.168.2.5

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 26, 2020 07:57:57.998034954 CET6493653192.168.2.58.8.8.8
                  Nov 26, 2020 07:57:58.033602953 CET53649368.8.8.8192.168.2.5
                  Nov 26, 2020 07:57:58.863831997 CET5270453192.168.2.58.8.8.8
                  Nov 26, 2020 07:57:58.899288893 CET53527048.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:01.444466114 CET5221253192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:01.471843958 CET53522128.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:07.016284943 CET5430253192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:07.053309917 CET53543028.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:33.139759064 CET5378453192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:33.166909933 CET53537848.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:33.970594883 CET6530753192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:33.998008966 CET53653078.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:38.145914078 CET6434453192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:38.185548067 CET53643448.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:40.843112946 CET6206053192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:40.870227098 CET53620608.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:41.683815002 CET6180553192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:41.711005926 CET53618058.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:42.546552896 CET5479553192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:42.573625088 CET53547958.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:43.389050007 CET4955753192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:43.416213989 CET53495578.8.8.8192.168.2.5
                  Nov 26, 2020 07:58:44.212383032 CET6173353192.168.2.58.8.8.8
                  Nov 26, 2020 07:58:44.239660978 CET53617338.8.8.8192.168.2.5

                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: New PO 64739 (UK).exe PID: 1308 Parent PID: 5628

                  General

                  Start time:07:57:53
                  Start date:26/11/2020
                  Path:C:\Users\user\Desktop\New PO 64739 (UK).exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\New PO 64739 (UK).exe'
                  Imagebase:0xf40000
                  File size:936960 bytes
                  MD5 hash:B6BABB0D3661CD172C93C496DC4C1DB1
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.265011054.00000000032E1000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.266893873.00000000042E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.267084624.0000000004332000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.265117190.0000000003390000.00000004.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  Analysis Process: schtasks.exe PID: 5904 Parent PID: 1308

                  General

                  Start time:07:58:04
                  Start date:26/11/2020
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TqGgKBQek' /XML 'C:\Users\user\AppData\Local\Temp\tmpE3F1.tmp'
                  Imagebase:0x860000
                  File size:185856 bytes
                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: conhost.exe PID: 5900 Parent PID: 5904

                  General

                  Start time:07:58:05
                  Start date:26/11/2020
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7ecfc0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: MSBuild.exe PID: 6016 Parent PID: 1308

                  General

                  Start time:07:58:05
                  Start date:26/11/2020
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  Imagebase:0xbb0000
                  File size:261728 bytes
                  MD5 hash:D621FD77BD585874F9686D3A76462EF1
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.509333754.0000000003F73000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.510190949.0000000004B1F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.502584081.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.505217823.0000000002F21000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.509509822.00000000047EE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.505295151.0000000002F8C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.510056845.0000000004A34000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.509942877.00000000049FA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.512849217.00000000055C0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.512849217.00000000055C0000.00000004.00000001.sdmp, Author: Florian Roth
                  Reputation:moderate

                  Disassembly

                  Code Analysis

                  Reset < >