Play interactive tour

Edit tour

Analysis Report https://onedrive.live.com/download?cid=F9306F27ACC5AABA&resid=F9306F27ACC5AABA%21278&authkey=AEXuJUX0kEgNwa0

Overview

General Information

Sample URL:	https://onedrive.live.com/download?cid=F9306F27ACC5AABA&resid=F9306F27ACC5AABA%21278&authkey=AEXuJUX0kEgNwa0
Analysis ID:	341895
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

PE file contains section with special chars

PE file has nameless sections

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Potential browser exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

iexplore.exe (PID: 5152 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5168 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5152 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

unarchiver.exe (PID: 3440 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z' MD5: 8B435F8731563566F3F49203BA277865)

7za.exe (PID: 4848 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 2024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5876 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

FNYVlhLumPogrzL.exe (PID: 2208 cmdline: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe MD5: E2369B4A4D2E2C7F1F8AF4F7743532E9)

schtasks.exe (PID: 1536 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 4912 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

schtasks.exe (PID: 4156 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D78.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5564 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81FD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 4868 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 1180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 4120 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 3880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.473292400.0000000005780000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000E.00000002.473292400.0000000005780000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.473627286.0000000006040000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
0000000E.00000002.473627286.0000000006040000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x30477d:$x1: NanoCore.ClientPluginHost 0x3047ba:$x2: IClientNetworkHost 0x3082ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3044e5:$a: NanoCore 0x3044f5:$a: NanoCore 0x304729:$a: NanoCore 0x30473d:$a: NanoCore 0x30477d:$a: NanoCore 0x304544:$b: ClientPlugin 0x304746:$b: ClientPlugin 0x304786:$b: ClientPlugin 0x118bfe:$c: ProjectData 0x30466b:$c: ProjectData 0x119696:$d: DESCrypto 0x305072:$d: DESCrypto 0x30ca3e:$e: KeepAlive 0x30aa2c:$g: LogClientMessage 0x306c27:$i: get_Connected 0x3053a8:$j: #=q 0x3053d8:$j: #=q 0x3053f4:$j: #=q 0x305424:$j: #=q 0x305440:$j: #=q 0x30545c:$j: #=q
0000000E.00000002.472189305.00000000043C2000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.277584166.00000000030D1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x981a5:$x1: NanoCore.ClientPluginHost 0x981e2:$x2: IClientNetworkHost 0x9bd15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x97f0d:$a: NanoCore 0x97f1d:$a: NanoCore 0x98151:$a: NanoCore 0x98165:$a: NanoCore 0x981a5:$a: NanoCore 0x97f6c:$b: ClientPlugin 0x9816e:$b: ClientPlugin 0x981ae:$b: ClientPlugin 0x98093:$c: ProjectData 0x98a9a:$d: DESCrypto 0xa0466:$e: KeepAlive 0x9e454:$g: LogClientMessage 0x9a64f:$i: get_Connected 0x98dd0:$j: #=q 0x98e00:$j: #=q 0x98e1c:$j: #=q 0x98e4c:$j: #=q 0x98e68:$j: #=q 0x98e84:$j: #=q 0x98eb4:$j: #=q 0x98ed0:$j: #=q
Process Memory Space: RegSvcs.exe PID: 4912	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xeaffb:$x1: NanoCore.ClientPluginHost 0xed697:$x1: NanoCore.ClientPluginHost 0x1153a3:$x1: NanoCore.ClientPluginHost 0x12b8d3:$x1: NanoCore.ClientPluginHost 0x1320aa:$x1: NanoCore.ClientPluginHost 0x1471ca:$x1: NanoCore.ClientPluginHost 0x18dba1:$x1: NanoCore.ClientPluginHost 0xeb021:$x2: IClientNetworkHost 0x1153c9:$x2: IClientNetworkHost 0x1320ef:$x2: IClientNetworkHost 0x14720f:$x2: IClientNetworkHost 0x18dc02:$x2: IClientNetworkHost 0x193007:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1a0f79:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 4912	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 4912	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xeaeed:$a: NanoCore 0xeaf8e:$a: NanoCore 0xeaffb:$a: NanoCore 0xeb0bc:$a: NanoCore 0xebf8d:$a: NanoCore 0xebfe0:$a: NanoCore 0xec019:$a: NanoCore 0xec08c:$a: NanoCore 0xed697:$a: NanoCore 0xed711:$a: NanoCore 0xeda7d:$a: NanoCore 0xee53b:$a: NanoCore 0xee581:$a: NanoCore 0xee748:$a: NanoCore 0x115295:$a: NanoCore 0x115336:$a: NanoCore 0x1153a3:$a: NanoCore 0x115464:$a: NanoCore 0x116335:$a: NanoCore 0x116388:$a: NanoCore 0x1163c1:$a: NanoCore
Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a94ae:$x1: NanoCore.ClientPluginHost 0x1a950f:$x2: IClientNetworkHost 0x1ae914:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1bc886:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a8fb3:$a: NanoCore 0x1a8fcf:$a: NanoCore 0x1a912a:$a: NanoCore 0x1a9139:$a: NanoCore 0x1a9412:$a: NanoCore 0x1a943e:$a: NanoCore 0x1a94ae:$a: NanoCore 0x1b8ef0:$a: NanoCore 0x1b8f02:$a: NanoCore 0x1b8f3e:$a: NanoCore 0x1a905a:$b: ClientPlugin 0x1a9183:$b: ClientPlugin 0x1a9447:$b: ClientPlugin 0x1a94b7:$b: ClientPlugin 0x1b8f0b:$b: ClientPlugin 0x1b8f47:$b: ClientPlugin 0x1c177:$c: ProjectData 0x1e5a8:$c: ProjectData 0x177209:$c: ProjectData 0x17963a:$c: ProjectData 0x1a92d0:$c: ProjectData
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.RegSvcs.exe.5780000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.RegSvcs.exe.5780000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.RegSvcs.exe.6050000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.RegSvcs.exe.6050000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.RegSvcs.exe.6050000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.RegSvcs.exe.6050000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
14.2.RegSvcs.exe.6050000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
14.2.RegSvcs.exe.6050000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.RegSvcs.exe.6040000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
14.2.RegSvcs.exe.6040000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
Click to see the 9 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 4912, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe, ParentImage: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe, ParentProcessId: 2208, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp', ProcessId: 1536

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.472189305.00000000043C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY
Source: Yara match	File source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY
Source: Yara match	File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\FxuoZREPj.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Joe Sandbox ML: detected

Source: 14.2.RegSvcs.exe.6050000.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 14.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: dbpdbvcs.pdb source: RegSvcs.exe, 0000000E.00000002.468630564.0000000003000000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000E.00000002.470342259.0000000003351000.00000004.00000001.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000001A.00000002.291671286.0000000005720000.00000002.00000001.sdmp
Source:	Binary string: .pdb71USE source: RegSvcs.exe, 0000000E.00000002.468630564.0000000003000000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.14.dr
Source:	Binary string: vcs.pdb source: RegSvcs.exe, 0000000E.00000002.468630564.0000000003000000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: FNYVlhLumPogrzL.exe, 0000000A.00000002.281971824.0000000005760000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.473472471.0000000005D60000.00000002.00000001.sdmp, RegSvcs.exe, 00000017.00000002.291386372.0000000005120000.00000002.00000001.sdmp, dhcpmon.exe, 0000001A.00000002.291992470.00000000057D0000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 02D5097Fh
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 02D5097Eh
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4x nop then mov esp, ebp

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Windows\SysWOW64\unarchiver.exe

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49731 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49754 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 194.5.98.120:58103
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 194.5.98.120:58103

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 194.5.98.120 ports 0,1,3,58103,5,8

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: strongodss.ddns.net

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 14_2_05672FE2 WSARecv,

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/experimentDataSet.xsd
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.258338420.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259181693.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259925336.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html(
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259181693.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/v
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259925336.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersm
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259679205.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerst
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259679205.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersz
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.281721786.0000000005570000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comam
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.281721786.0000000005570000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comion
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.281721786.0000000005570000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como8
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.257114831.0000000005580000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.257114831.0000000005580000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn7
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.257114831.0000000005580000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnG
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.257114831.0000000005580000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnW
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.256845249.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnv
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.261814632.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.261981799.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmG
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.258413038.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.258338420.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comp
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.258338420.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.257491913.000000000559F000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com(
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.261253439.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259111467.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de2
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.261207771.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deO
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259111467.000000000559C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dey
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: RegSvcs.exe, 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.472189305.00000000043C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY
Source: Yara match	File source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY
Source: Yara match	File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE

Operating System Destruction:

Protects its processes via BreakOnTermination flag

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Process information set: 01 00 00 00

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000E.00000002.473292400.0000000005780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.473627286.0000000006040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegSvcs.exe.5780000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.6040000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

PE file contains section with special chars

Show sources

Source: FNYVlhLumPogrzL.exe.5.dr	Static PE information: section name: }PT(h{>
Source: FxuoZREPj.exe.10.dr	Static PE information: section name: }PT(h{>

PE file has nameless sections

Show sources

Source: FNYVlhLumPogrzL.exe.5.dr	Static PE information: section name:
Source: FxuoZREPj.exe.10.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_0121ABEE NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_0121ABB3 NtQuerySystemInformation,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_05671572 NtSetInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_05671836 NtQuerySystemInformation,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_05671541 NtSetInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_056717FB NtQuerySystemInformation,

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4_2_02D502A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4_2_02D50299
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_0520B118
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05203DA8
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_0520D8F8
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05202660
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05201E68
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05202EEA
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_0520ED28
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05205D28
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05200110
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05205D18
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05206178
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05203D45
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05201DB8
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05205580
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05205590
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_052099F0
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05205831
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_0520A060
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05206C67
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05205B38
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05205B48
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05205FA0
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05205F90
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_0520AA40
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_05201283
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_06082182
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_060821A6
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_061D2E44
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_061D1380
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_061D1BE0
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_061D1BD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_02E47ABE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_0555B530
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_05553850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_055523A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_05552FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_05559A68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_05558E68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_0555306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_0555A310
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_05559B2F

Source: FNYVlhLumPogrzL.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FxuoZREPj.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 0000000E.00000002.473292400.0000000005780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.473292400.0000000005780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.473627286.0000000006040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.473627286.0000000006040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegSvcs.exe.5780000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.5780000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.RegSvcs.exe.6040000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.6040000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: FNYVlhLumPogrzL.exe.5.dr	Static PE information: Section: }PT(h{> ZLIB complexity 1.00031377097
Source: FxuoZREPj.exe.10.dr	Static PE information: Section: }PT(h{> ZLIB complexity 1.00031377097

Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.262334538.000000000559C000.00000004.00000001.sdmp	Binary or memory string: c.slnt
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.261981799.000000000559C000.00000004.00000001.sdmp	Binary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnt
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.262028370.000000000559C000.00000004.00000001.sdmp	Binary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnt

Source: classification engine

Classification label: mal100.troj.evad.win@28/24@16/1

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_0121A592 AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_0121A55B AdjustTokenPrivileges,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_056713F6 AdjustTokenPrivileges,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_056713BF AdjustTokenPrivileges,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4840:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3880:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4168:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Mutant created: \Sessions\1\BaseNamedObjects\PTXTiysVRkmEztU
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1180:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2024:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{572eb7a9-aedf-4b39-8669-f7563dab8a38}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFC5EFD22772502ADF.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp

Binary or memory string: select * from PMS;select * from PMS where

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5152 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z'
Source: unknown	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D78.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81FD.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5152 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z'
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z'
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp'
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D78.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81FD.tmp'

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source:	Binary string: dbpdbvcs.pdb source: RegSvcs.exe, 0000000E.00000002.468630564.0000000003000000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000E.00000002.470342259.0000000003351000.00000004.00000001.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000001A.00000002.291671286.0000000005720000.00000002.00000001.sdmp
Source:	Binary string: .pdb71USE source: RegSvcs.exe, 0000000E.00000002.468630564.0000000003000000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.14.dr
Source:	Binary string: vcs.pdb source: RegSvcs.exe, 0000000E.00000002.468630564.0000000003000000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: FNYVlhLumPogrzL.exe, 0000000A.00000002.281971824.0000000005760000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.473472471.0000000005D60000.00000002.00000001.sdmp, RegSvcs.exe, 00000017.00000002.291386372.0000000005120000.00000002.00000001.sdmp, dhcpmon.exe, 0000001A.00000002.291992470.00000000057D0000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe

Unpacked PE file: 10.2.FNYVlhLumPogrzL.exe.8c0000.0.unpack }PT(h{>:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

.NET source code contains potential unpacker

Show sources

Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: FNYVlhLumPogrzL.exe.5.dr	Static PE information: section name: }PT(h{>
Source: FNYVlhLumPogrzL.exe.5.dr	Static PE information: section name:
Source: FxuoZREPj.exe.10.dr	Static PE information: section name: }PT(h{>
Source: FxuoZREPj.exe.10.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_0091D5F0 push edi; iretd
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_01224F2D push esp; ret
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_0520887A push es; retf
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Code function: 10_2_0520347C push edi; iretd
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_02E4ADA8 push cs; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_02E49D72 push 7802E4CBh; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_02E4AD34 push cs; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_02E4AE1B push cs; retf

Source: initial sample	Static PE information: section name: }PT(h{> entropy: 7.99979160938
Source: initial sample	Static PE information: section name: }PT(h{> entropy: 7.99979160938

Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	File created: C:\Users\user\AppData\Roaming\FxuoZREPj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 0000000A.00000002.277584166.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1KR[R
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1KR

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Window / User API: foregroundWindowGot 692

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5868	Thread sleep count: 194 > 30
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5868	Thread sleep time: -97000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe TID: 5388	Thread sleep time: -31500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe TID: 1564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6184	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 14_2_0567161A GetSystemInfo,

Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1kr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp	Binary or memory string: kr&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1kr`R
Source: RegSvcs.exe, 0000000E.00000002.474066463.0000000006930000.00000002.00000001.sdmp, RegSvcs.exe, 00000017.00000002.291570681.0000000005180000.00000002.00000001.sdmp, dhcpmon.exe, 0000001A.00000002.292281119.0000000005830000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277461898.000000000309D000.00000004.00000001.sdmp	Binary or memory string: krA"SOFTWARE\VMware, Inc.\VMware Tools
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp	Binary or memory string: vmwareX1kr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware ToolsX1kr"P
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.276452871.00000000010B2000.00000004.00000020.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware3YUN599EWin32_VideoControllerK6E3EGV8VideoController120060621000000.000000-0005627.786display.infMSBDA7FNXXYUPPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsGN93ZUV3
Source: RegSvcs.exe, 0000000E.00000002.474066463.0000000006930000.00000002.00000001.sdmp, RegSvcs.exe, 00000017.00000002.291570681.0000000005180000.00000002.00000001.sdmp, dhcpmon.exe, 0000001A.00000002.292281119.0000000005830000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp	Binary or memory string: QEMUX1kr^R
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1krMP
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp	Binary or memory string: VMware\|9kr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277461898.000000000309D000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1kr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277461898.000000000309D000.00000004.00000001.sdmp	Binary or memory string: kr87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp	Binary or memory string: VMWARE\|9kr
Source: RegSvcs.exe, 0000000E.00000002.474066463.0000000006930000.00000002.00000001.sdmp, RegSvcs.exe, 00000017.00000002.291570681.0000000005180000.00000002.00000001.sdmp, dhcpmon.exe, 0000001A.00000002.292281119.0000000005830000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp	Binary or memory string: VMware \|9kr
Source: RegSvcs.exe, 0000000E.00000002.474066463.0000000006930000.00000002.00000001.sdmp, RegSvcs.exe, 00000017.00000002.291570681.0000000005180000.00000002.00000001.sdmp, dhcpmon.exe, 0000001A.00000002.292281119.0000000005830000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: RegSvcs.exe, 0000000E.00000002.467863584.0000000001384000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe

Process information queried: ProcessInformation

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe

Code function: 10_2_0121A172 CheckRemoteDebuggerPresent,

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: F81008

Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z'
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp'
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D78.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81FD.tmp'

Source: unarchiver.exe, 00000004.00000002.467686582.0000000001760000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.468229633.0000000001A20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: unarchiver.exe, 00000004.00000002.467686582.0000000001760000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.468229633.0000000001A20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000004.00000002.467686582.0000000001760000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.468229633.0000000001A20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: unarchiver.exe, 00000004.00000002.467686582.0000000001760000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.468229633.0000000001A20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe

Code function: 10_2_05441586 GetUserNameA,

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.472189305.00000000043C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY
Source: Yara match	File source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY
Source: Yara match	File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000E.00000002.470342259.0000000003351000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000E.00000002.470342259.0000000003351000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000E.00000002.470342259.0000000003351000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.472189305.00000000043C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY
Source: Yara match	File source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY
Source: Yara match	File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_05672B26 bind,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 14_2_05672AF6 bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Access Token Manipulation1	Disable or Modify Tools1	Input Capture11	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Process Injection312	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Scheduled Task/Job1	Obfuscated Files or Information3	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing23	NTDS	Security Software Discovery321	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading2	LSA Secrets	Virtualization/Sandbox Evasion14	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion14	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection312	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://onedrive.live.com/download?cid=F9306F27ACC5AABA&resid=F9306F27ACC5AABA%21278&authkey=AEXuJUX0kEgNwa0	1%	Virustotal		Browse
https://onedrive.live.com/download?cid=F9306F27ACC5AABA&resid=F9306F27ACC5AABA%21278&authkey=AEXuJUX0kEgNwa0	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\FxuoZREPj.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender	Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.2.RegSvcs.exe.6050000.5.unpack	100%	Avira	TR/NanoCore.fadte	Download File
14.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
10.2.FNYVlhLumPogrzL.exe.8c0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
strongodss.ddns.net	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnW	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htmG	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.founder.com.cn/cnG	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.sakkal.comp	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.sakkal.comr	0%	Avira URL Cloud	safe
http://www.fontbureau.comam	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnv	0%	Avira URL Cloud	safe
http://www.urwpp.de2	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.tiro.com(	0%	Avira URL Cloud	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.fontbureau.como8	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.urwpp.deO	0%	Avira URL Cloud	safe
http://www.fontbureau.comion	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.urwpp.dey	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn7	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
strongodss.ddns.net	194.5.98.120	true	true	4%, Virustotal, Browse	unknown
onedrive.live.com	unknown	unknown	false		high
rptj2g.sn.files.1drv.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
0	true		low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.html(	FNYVlhLumPogrzL.exe, 0000000A.00000003.259925336.000000000559C000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnW	FNYVlhLumPogrzL.exe, 0000000A.00000003.257114831.0000000005580000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htmG	FNYVlhLumPogrzL.exe, 0000000A.00000003.261981799.000000000559C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnG	FNYVlhLumPogrzL.exe, 0000000A.00000003.257114831.0000000005580000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.comp	FNYVlhLumPogrzL.exe, 0000000A.00000003.258338420.000000000559C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersm	FNYVlhLumPogrzL.exe, 0000000A.00000003.259925336.000000000559C000.00000004.00000001.sdmp	false		high
http://www.sakkal.comr	FNYVlhLumPogrzL.exe, 0000000A.00000003.258338420.000000000559C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comam	FNYVlhLumPogrzL.exe, 0000000A.00000002.281721786.0000000005570000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnv	FNYVlhLumPogrzL.exe, 0000000A.00000003.256845249.000000000559C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de2	FNYVlhLumPogrzL.exe, 0000000A.00000003.259111467.000000000559C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	FNYVlhLumPogrzL.exe, 0000000A.00000003.258338420.000000000559C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersz	FNYVlhLumPogrzL.exe, 0000000A.00000003.259679205.000000000559C000.00000004.00000001.sdmp	false		high
http://www.tiro.com(	FNYVlhLumPogrzL.exe, 0000000A.00000003.257491913.000000000559F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.urwpp.de	FNYVlhLumPogrzL.exe, 0000000A.00000003.261253439.000000000559C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.como8	FNYVlhLumPogrzL.exe, 0000000A.00000002.281721786.0000000005570000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	FNYVlhLumPogrzL.exe, 0000000A.00000003.258413038.000000000559C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designerst	FNYVlhLumPogrzL.exe, 0000000A.00000003.259679205.000000000559C000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/	FNYVlhLumPogrzL.exe, 0000000A.00000003.261814632.000000000559C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deO	FNYVlhLumPogrzL.exe, 0000000A.00000003.261207771.000000000559C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/v	FNYVlhLumPogrzL.exe, 0000000A.00000003.259181693.000000000559C000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comion	FNYVlhLumPogrzL.exe, 0000000A.00000002.281721786.0000000005570000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false		high
http://www.urwpp.dey	FNYVlhLumPogrzL.exe, 0000000A.00000003.259111467.000000000559C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	FNYVlhLumPogrzL.exe, 0000000A.00000003.257114831.0000000005580000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn7	FNYVlhLumPogrzL.exe, 0000000A.00000003.257114831.0000000005580000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/	FNYVlhLumPogrzL.exe, 0000000A.00000003.259181693.000000000559C000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.120	unknown	Netherlands		208476	DANILENKODE	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	341895
Start date:	20.01.2021
Start time:	03:53:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	browseurl.jbs
Sample URL:	https://onedrive.live.com/download?cid=F9306F27ACC5AABA&resid=F9306F27ACC5AABA%21278&authkey=AEXuJUX0kEgNwa0
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.win@28/24@16/1
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 88% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 52.255.188.83, 88.221.62.148, 13.107.42.13, 104.43.139.144, 13.107.42.12, 152.199.19.161, 2.20.84.85, 51.11.168.160, 92.122.213.247, 92.122.213.194, 67.26.73.254, 67.27.157.254, 8.253.207.121, 8.248.135.254, 8.248.141.254, 20.54.26.129 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, l-0004.l-msedge.net, iecvlist.microsoft.com, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, go.microsoft.com, l-0003.l-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, odc-sn-files-geo.onedrive.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, odc-sn-files-brs.onedrive.akadns.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target unarchiver.exe, PID 3440 because it is empty Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:54:36	API Interceptor	1x Sleep call for process: FNYVlhLumPogrzL.exe modified
03:54:44	API Interceptor	743x Sleep call for process: RegSvcs.exe modified
03:54:44	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
03:54:45	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
03:54:45	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7515815714465193
Encrypted:	false
SSDEEP:	384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
MD5:	71369277D09DA0830C8C59F9E22BB23A
SHA1:	37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
SHA-256:	D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
SHA-512:	2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\FNYVlhLumPogrzL.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	655
Entropy (8bit):	5.273171405160065
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9t0U2WUXBQav:MLF20NaL329hJ5g522rWz2p29XBT
MD5:	2703120C370FBB4A8BA08C6D1754039E
SHA1:	EC0DB47BF00A4A828F796147619386C0BBEA66A1
SHA-256:	F95566974BC44F3A757CAFB1456D185D8F333AC84775089DE18310B90C18B1BC
SHA-512:	BC05A2A1BE5B122FC6D3DEA66EF4258522F13351B9754378395AAD019631E312CFD3BC990F3E3D5C7BB0BDBA1EAD54A2B34A96DEE2FCCD703721E98F6192ED48
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{322791B1-5B16-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	32344
Entropy (8bit):	1.7988366230192592
Encrypted:	false
SSDEEP:	48:Iw5GcprEGwpLGhG/ap8brGIpcxHWGvnZpvxn/Gojqp9xnaOGo4tpmxuaZBGWFb9s:rfZ8Zk2b9WxTtxufxotMxlxl6Ev2
MD5:	A7487A67F1CB3462A5E7EA02EB4F883C
SHA1:	E0D53960F1724B3002F51DF542F04338E1640213
SHA-256:	DA997F577F74485F00B532187927744363FA512DB89829135ADE1DF865EB85D6
SHA-512:	A6E3A820033D9E51BD04BD3E4C035954303FDE22D50609C885F6F6151A5ECD3363831419D5C3D0B280DD5BCDD4A763A81B7CD23BF568BA8A9D2DC41897D3FA13
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{322791B3-5B16-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5986040283144574
Encrypted:	false
SSDEEP:	48:IwLGcpryGwpaeG4pQChGrapbS/rGQpBoLbGHHpcohPsTGUpQoKpVGcpm:rRZ6Qe60BS/Fjp2Ik6Ng
MD5:	B11D6E0F8AC61F0BB9D78A02AE101162
SHA1:	C8539092773AF6C520BB68D5D3758EE101071655
SHA-256:	73B18FC940E4AD252295C53FFBFE7F34C89C50289DEB6992423492E3125FD440
SHA-512:	27213E8F6F7F4ADEBA86B31DEC319D7C986203A257E5E742B4E725A07B46A430305EEE6EA3869105095A4067A3476ECA441377E9FCF3CD6567977214A14EC111
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z.h1ixtx1.partial Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	1135642
Entropy (8bit):	7.999815833560986
Encrypted:	true
SSDEEP:	24576:UExCZp6dTHfYmoNvEo9c+P7lO93tsmMnSTnt/B83qZUJQ96u/KV7tb:/CZp6QmGD9caOrsbnSTnt/BWq0QHQ7V
MD5:	EE856182C24F0FC4FA822F4882E5A2C2
SHA1:	846DA7258045528D385C7197960807558402A235
SHA-256:	86256445950E138455F808B4BF6A086227CC254E5A42AB929626A3DB67218D08
SHA-512:	D8C8B406CB08200490D846605628B4D0E7661F96EEA7F41ED83382CB785E0337E59895E250E9BD4689C9A6012D4B0E53604EC0CAF553326DAAAD7943B9A300D7
Malicious:	false
Reputation:	low
Preview:	Rar!....0.9 .............s!X5........... ]/...#..FNYVlhLumPogrzL.exe...jP........@0c30U.EPeT.T....t.q....o:.Uot.9........E. ....m..A&..$....l...'.......^.........@.C.... .(.....U............ ..d....@......b.p.....'......P..c...a...............w)..9.7..38.6.106..9.0..8.6.4.p...@....\...I.`..?.K....g._.... ........8......~/.u......_..`_.u.....\|_...y...!....../.....HT......D...0......#.....?.^\|OS.(gz=.\.........7K........K{?.6..........'./..H....k.......e25......M...............~..........u........P.8z..g.........d.....Y..QY.<...Y.t.?..U.<.(9..i..Lh.!.J.....<.o......j........(..+..&/.x.;.....%U..g+[..`.I....l5.].r....s..".....O..@....'..V.M.{...q<O..]...iV..)f...b.....N.....f....fPW...?G......J..c.?.e..DTY.....\ybr.Y`&V.@..........E....}r..J.ahLh..8...6..w..._.z...K...#..L.>I.e....A..f.7g........^X..sQ'F0....Qq.....*._.^..`.T../K...1%..O...H.L.Y.4....$u.^..W.s.Z...=2...M.#...w\|.....lc4i<e..;..T...a..........y.....k.7h.....x..P....I..s...PO;b......f

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z.h1ixtx1.partial:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:W:W
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	low
Preview:	3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\TKK3637920031.jpeg[1].z Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	1135642
Entropy (8bit):	7.999815833560986
Encrypted:	true
SSDEEP:	24576:UExCZp6dTHfYmoNvEo9c+P7lO93tsmMnSTnt/B83qZUJQ96u/KV7tb:/CZp6QmGD9caOrsbnSTnt/BWq0QHQ7V
MD5:	EE856182C24F0FC4FA822F4882E5A2C2
SHA1:	846DA7258045528D385C7197960807558402A235
SHA-256:	86256445950E138455F808B4BF6A086227CC254E5A42AB929626A3DB67218D08
SHA-512:	D8C8B406CB08200490D846605628B4D0E7661F96EEA7F41ED83382CB785E0337E59895E250E9BD4689C9A6012D4B0E53604EC0CAF553326DAAAD7943B9A300D7
Malicious:	false
Reputation:	low
Preview:	Rar!....0.9 .............s!X5........... ]/...#..FNYVlhLumPogrzL.exe...jP........@0c30U.EPeT.T....t.q....o:.Uot.9........E. ....m..A&..$....l...'.......^.........@.C.... .(.....U............ ..d....@......b.p.....'......P..c...a...............w)..9.7..38.6.106..9.0..8.6.4.p...@....\...I.`..?.K....g._.... ........8......~/.u......_..`_.u.....\|_...y...!....../.....HT......D...0......#.....?.^\|OS.(gz=.\.........7K........K{?.6..........'./..H....k.......e25......M...............~..........u........P.8z..g.........d.....Y..QY.<...Y.t.?..U.<.(9..i..Lh.!.J.....<.o......j........(..+..&/.x.;.....%U..g+[..`.I....l5.].r....s..".....O..@....'..V.M.{...q<O..]...iV..)f...b.....N.....f....fPW...?G......J..c.?.e..DTY.....\ybr.Y`&V.@..........E....}r..J.ahLh..8...6..w..._.z...K...#..L.>I.e....A..f.7g........^X..sQ'F0....Qq.....*._.^..`.T../K...1%..O...H.L.Y.4....$u.^..W.s.Z...=2...M.#...w\|.....lc4i<e..;..T...a..........y.....k.7h.....x..P....I..s...PO;b......f

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.406442624860051
Encrypted:	false
SSDEEP:	3:oVXUoV9nT498JOGXnEoV9q4u7n:o9UoV90qEoV9q4m
MD5:	D3502D5124CC72EEADBC026B602DF179
SHA1:	B9B87B7A44940CD0F026A6859C0B83D3BEEE00E6
SHA-256:	DA9E6042C62714DF48DFB11A669BB50650CDD75CCB481FEF2D5BC88781945562
SHA-512:	4EC85300B08B436C63B0CA2B746D147C7A9DCF6D8574AC305077BD97E08E603E4FB46F4D816A2702B53B0647FCF4800B3CBE663E8ABBFE3E331656280E00F7C0
Malicious:	false
Reputation:	low
Preview:	[2021/01/20 03:54:07.301] Latest deploy version: ..[2021/01/20 03:54:07.316] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\bpkrjtup.j3x\unarchiver.log Download File
Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2503
Entropy (8bit):	5.230675390203555
Encrypted:	false
SSDEEP:	48:kcdDyjcbWcyGncyGbncyGncyGphcyGbncyGncyGpCDyjcyGHxcyGPDyjcyGGicyN:lQde9eUdw0
MD5:	EA43926E4B4D250F520897C7F577A097
SHA1:	9E1545DB57DBE43B041D4DCC1669A91032B165DE
SHA-256:	821DCF685A76A7EC2E87165109A46A790A18089201E7FA3E32B761B5E0BAD1FC
SHA-512:	4CD9F65C789DA016911BED4E82ADF65133C3DA9D3AC0C2B447E1C00CBDECDCEADC02FFBF1C3B03CD606134D988F839221B30090CDD8D33301EC4250965A3E8AB
Malicious:	false
Reputation:	low
Preview:	01/20/2021 3:54 AM: Unpack: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z..01/20/2021 3:54 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt..01/20/2021 3:54 AM: Received from standard out: ..01/20/2021 3:54 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..01/20/2021 3:54 AM: Received from standard out: ..01/20/2021 3:54 AM: Received from standard out: Scanning the drive for archives:..01/20/2021 3:54 AM: Received from standard out: 1 file, 1135642 bytes (1110 KiB)..01/20/2021 3:54 AM: Received from standard out: ..01/20/2021 3:54 AM: Received from standard out: Extracting archive: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z..01/20/2021 3:54 AM: Received from standard out: WARNING:..01/20/2021 3:54 AM: Received from standard out: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z..01/20/2021 3:54

C:\Users\user\AppData\Local\Temp\tmp7D78.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.135021273392143
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
MD5:	40B11EF601FB28F9B2E69D36857BF2EC
SHA1:	B6454020AD2CEED193F4792B77001D0BD741B370
SHA-256:	C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
SHA-512:	E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp81FD.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.194281179975877
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBetn:cbh47TlNQ//rydbz9I3YODOLNdq3q
MD5:	4AFEB34191C071F283C4F2BC626AF07E
SHA1:	EAB2F0CF9C862D7F97E9E9921E19266069658424
SHA-256:	CA9238A1CC8E52FAA083A8865A0623EAACCD12F3F95AA96D89CB53E3DFA11737
SHA-512:	2B8E7F57A6F7B64B8C77B8960B445047865BB36B54BCC2A16811ECA1335A65BF3C7685711444EA7974C57EE7F712BBB625A68F49F6EE3F2559C51733AB46F38D
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Download File
Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1505792
Entropy (8bit):	7.429842059066444
Encrypted:	false
SSDEEP:	24576:8+6JbyWvhKxiSA7Xv7z4JNWDxvSNSNb5jNb:dchKiS+vvVYM5D
MD5:	E2369B4A4D2E2C7F1F8AF4F7743532E9
SHA1:	FF73F21E4CA57111DCB38051A92CE59AC48E7498
SHA-256:	CE82DC0464405C155279812B9506998991C7FB74CE59DFCABEE337DA9CDB757A
SHA-512:	26AB837582235DB7300873CEE599FEF96503FB1B80EE9B81AB54B12BDF5C7D4E4FAB660FB7F931AC4F00CC684EC4BC35EF40539A3671907729F0E517CF52FEB6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h.`..............0..............@....... ....@.. .......................`............@.....................................K....`....................... .......................................................@..................H...........}PT.(h{>.]... ...^..................@....text...`............b.............. ..`.rsrc........`.......>..............@..@.reloc....... ......................@..B.............@...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC5EFD22772502ADF.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12981
Entropy (8bit):	0.44390090907631574
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loUF9lo09lWvpbWpdL:kBqoIPZvpSpdL
MD5:	F4EC83EB47B455BD5E2BC09BAA0CBC72
SHA1:	05FEF35A8F33B35B3B8A6F22B912BADADB237C77
SHA-256:	95DDC1E3B611A39DE76BA208B601354349D4B332945E53D408A5BC3C40AB2B9D
SHA-512:	B8E253CBAA3F710FF9FD0AB7E7EDCFE020F3F636B3FBCA0B3997E652305812E780D8009B9B926E098CEFA1C0D2B6AC0F0C5F3647FD0184BE2AC60817B9610318
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE94FC4F1589F59FF.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.3301349720454092
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwtyqv9lwtyqv9l2tyqs:kBqoxKAuvScS+oLoFou+oboKy
MD5:	67E50969A57D1702F83443D98F965B36
SHA1:	4F417FCA16108ADDBE783277DC520E0B15783042
SHA-256:	244970D1466095F000EACF6003A8964EB318311E2D7415B70A3517C9D9361CCF
SHA-512:	C366FD66431A41A3378859B9B7C14E1BEE38BB171B02197C087EE577538CE6DCC0F74E67337BF7EEE51D55D7E85687E01AF966CFE215D1FC20404CD4EFD6C8C4
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	1488
Entropy (8bit):	7.094528505897445
Encrypted:	false
SSDEEP:	24:IQnybgCUtvd7RFBFSBvv8UQnybgCUtvd7RFBFSBvv8UQnybgCUtvd7RFBFSBvv8R:Ik/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/tP
MD5:	FA1E30035440350B350A67A97D629526
SHA1:	F28C5C85A69BDC11296921DD4840F57EA624C5E8
SHA-256:	A1B53D5F3983483EA34CC768A38248F849160EEE6C8477C451CF5CE2985D5DE9
SHA-512:	359FF4147C7C5A0C6331A05E9129C08DCF678285F4DACFBAA86AD33B9D50EE8F028B9836AB6D9E1DAC54E11144EC34020153E2E73158DA0311B278BF446E4069
Malicious:	false
Reputation:	low
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..OV..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..OV..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..OV..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..OV..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.wGj.h\.3.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:6f4:04
MD5:	6262F7C072E709CB42A451761371F212
SHA1:	70CBCCEA7042E0E927B8C3939EB82F73815C6072
SHA-256:	AAC01F2674B55898586C9D2527C7E2835201CDEDBAC46DD3164BC6487111C2D1
SHA-512:	0BA0EB1B54EA34EBD46AE817088AAC38ACA02AF831EDBFB934C60AD8BCFE1BA9C6D0DD9CA82445BE1516BDBFAFDDC81DA42AE2FC9D2AA8AEC7E5CECBC5E0297E
Malicious:	true
Reputation:	low
Preview:	.gb,:..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.795707286467131
Encrypted:	false
SSDEEP:	3:oMty8WbSX/MNn:oMLWus
MD5:	D685103573539B7E9FDBF5F1D7DD96CE
SHA1:	4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
SHA-256:	D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
SHA-512:	17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
Malicious:	false
Reputation:	low
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\user\AppData\Roaming\FxuoZREPj.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1505792
Entropy (8bit):	7.429842059066444
Encrypted:	false
SSDEEP:	24576:8+6JbyWvhKxiSA7Xv7z4JNWDxvSNSNb5jNb:dchKiS+vvVYM5D
MD5:	E2369B4A4D2E2C7F1F8AF4F7743532E9
SHA1:	FF73F21E4CA57111DCB38051A92CE59AC48E7498
SHA-256:	CE82DC0464405C155279812B9506998991C7FB74CE59DFCABEE337DA9CDB757A
SHA-512:	26AB837582235DB7300873CEE599FEF96503FB1B80EE9B81AB54B12BDF5C7D4E4FAB660FB7F931AC4F00CC684EC4BC35EF40539A3671907729F0E517CF52FEB6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h.`..............0..............@....... ....@.. .......................`............@.....................................K....`....................... .......................................................@..................H...........}PT.(h{>.]... ...^..................@....text...`............b.............. ..`.rsrc........`.......>..............@..@.reloc....... ......................@..B.............@...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	219
Entropy (8bit):	4.93892350100959
Encrypted:	false
SSDEEP:	6:zx3M7/LDkRLELQbSBYBXVNYUqKRLipilFWepYF:zKLLDkOcPBFNYUXQpmWeSF
MD5:	B806DB526EF386AF03CC861D9EDAC7F0
SHA1:	752F5CFD27F955733B3C0AA2BD2C93B5F6E04E95
SHA-256:	B6428BBB155A23F61A036BFCFD37556FC1B324CEC458BB9C663501B223EA270E
SHA-512:	C17DB7F8CCB1FB6F6C1AEBDAA8005E63F969BCB5BBF5BE2E39325ED9567E7665A305928948961270C0109EE7BF2808DB630DF9F840C21D1B650BB9C9026A1591
Malicious:	false
Reputation:	low
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved......The following installation error occurred:..1: Assembly not found: '0'...

Static File Info

No static file info

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/20/21-03:54:48.008225	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49731	58103	192.168.2.3	194.5.98.120
01/20/21-03:54:56.820534	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49734	58103	192.168.2.3	194.5.98.120
01/20/21-03:55:03.342741	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49735	58103	192.168.2.3	194.5.98.120
01/20/21-03:55:09.582405	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49737	58103	192.168.2.3	194.5.98.120
01/20/21-03:55:15.909410	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49741	58103	192.168.2.3	194.5.98.120
01/20/21-03:55:22.587171	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49747	58103	192.168.2.3	194.5.98.120
01/20/21-03:55:29.017083	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49748	58103	192.168.2.3	194.5.98.120
01/20/21-03:55:35.413547	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49749	58103	192.168.2.3	194.5.98.120
01/20/21-03:55:41.772538	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49750	58103	192.168.2.3	194.5.98.120
01/20/21-03:55:48.143018	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49751	58103	192.168.2.3	194.5.98.120
01/20/21-03:55:54.481130	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49754	58103	192.168.2.3	194.5.98.120
01/20/21-03:56:00.951320	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49755	58103	192.168.2.3	194.5.98.120
01/20/21-03:56:07.393192	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49756	58103	192.168.2.3	194.5.98.120
01/20/21-03:56:13.758406	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49757	58103	192.168.2.3	194.5.98.120

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 20, 2021 03:54:47.529011011 CET	49731	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:47.830319881 CET	58103	49731	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:47.831140041 CET	49731	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:48.008224964 CET	49731	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:48.440855980 CET	58103	49731	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:48.442153931 CET	49731	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:48.956835032 CET	58103	49731	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:48.957067966 CET	49731	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:49.266015053 CET	58103	49731	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:49.266845942 CET	49731	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:49.766807079 CET	58103	49731	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:49.767000914 CET	49731	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:49.937417984 CET	49731	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:50.168019056 CET	58103	49731	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:50.168078899 CET	58103	49731	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:50.168143988 CET	49731	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:50.168407917 CET	49731	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:54.082894087 CET	49734	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:56.816750050 CET	58103	49734	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:56.820005894 CET	49734	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:56.820533991 CET	49734	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:57.237874985 CET	58103	49734	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:57.240032911 CET	49734	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:57.780216932 CET	58103	49734	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:57.780397892 CET	49734	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:58.098011017 CET	58103	49734	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:58.098129988 CET	49734	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:58.597875118 CET	58103	49734	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:58.597979069 CET	49734	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:58.827852964 CET	49734	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:58.964821100 CET	58103	49734	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:58.964873075 CET	58103	49734	194.5.98.120	192.168.2.3
Jan 20, 2021 03:54:58.964911938 CET	49734	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:54:58.964951992 CET	49734	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:03.030318975 CET	49735	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:03.337780952 CET	58103	49735	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:03.337918997 CET	49735	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:03.342741013 CET	49735	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:03.749732018 CET	58103	49735	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:03.749826908 CET	49735	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:04.264760971 CET	58103	49735	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:04.264966011 CET	49735	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:04.602734089 CET	58103	49735	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:04.604691029 CET	49735	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:05.101712942 CET	58103	49735	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:05.101844072 CET	49735	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:05.140908957 CET	49735	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:09.275145054 CET	49737	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:09.580842018 CET	58103	49737	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:09.581091881 CET	49737	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:09.582405090 CET	49737	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:09.997281075 CET	58103	49737	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:09.997512102 CET	49737	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:10.496800900 CET	58103	49737	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:10.497140884 CET	49737	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:10.803798914 CET	58103	49737	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:10.803916931 CET	49737	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:11.310498953 CET	58103	49737	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:11.310585976 CET	49737	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:11.453814030 CET	49737	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:11.687410116 CET	58103	49737	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:11.687463999 CET	58103	49737	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:11.687587023 CET	49737	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:15.585464001 CET	49741	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:15.887204885 CET	58103	49741	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:15.887425900 CET	49741	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:15.909410000 CET	49741	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:16.408720970 CET	58103	49741	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:16.408848047 CET	49741	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:16.442087889 CET	58103	49741	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:16.485321045 CET	49741	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:16.900816917 CET	58103	49741	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:16.900907040 CET	49741	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:17.610424042 CET	49741	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:17.782635927 CET	49741	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:18.011898041 CET	58103	49741	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:18.011975050 CET	49741	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:18.426985979 CET	58103	49741	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:18.427213907 CET	49741	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:22.268893957 CET	49747	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:22.572755098 CET	58103	49747	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:22.572989941 CET	49747	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:22.587171078 CET	49747	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:23.016845942 CET	58103	49747	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:23.017102957 CET	49747	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:23.521816015 CET	58103	49747	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:23.521918058 CET	49747	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:23.827804089 CET	58103	49747	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:23.828015089 CET	49747	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:24.336815119 CET	58103	49747	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:24.337004900 CET	49747	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:24.548867941 CET	49747	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:24.718024015 CET	58103	49747	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:24.718075991 CET	58103	49747	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:24.718169928 CET	49747	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:24.718225002 CET	49747	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:28.702466965 CET	49748	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:29.015722990 CET	58103	49748	194.5.98.120	192.168.2.3
Jan 20, 2021 03:55:29.015849113 CET	49748	58103	192.168.2.3	194.5.98.120
Jan 20, 2021 03:55:29.017082930 CET	49748	58103	192.168.2.3	194.5.98.120

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 20, 2021 03:54:02.729190111 CET	64185	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:02.777236938 CET	53	64185	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:03.676873922 CET	65110	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:03.725008011 CET	53	65110	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:05.009159088 CET	58361	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:05.065478086 CET	53	58361	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:05.975086927 CET	63492	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:06.036607981 CET	53	63492	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:06.782747984 CET	60831	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:06.833441019 CET	53	60831	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:07.205457926 CET	60100	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:07.266216040 CET	53	60100	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:07.570934057 CET	53195	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:07.618897915 CET	53	53195	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:08.362644911 CET	50141	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:08.413484097 CET	53	50141	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:08.452466965 CET	53023	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:08.508713007 CET	53	53023	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:08.942565918 CET	49563	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:09.068635941 CET	53	49563	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:09.562359095 CET	51352	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:09.610358000 CET	53	51352	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:11.150671005 CET	59349	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:11.207175970 CET	53	59349	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:12.354487896 CET	57084	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:12.402340889 CET	53	57084	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:13.234826088 CET	58823	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:13.291002989 CET	53	58823	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:37.231033087 CET	57568	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:37.279220104 CET	53	57568	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:37.368045092 CET	50540	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:37.441246986 CET	53	50540	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:38.233452082 CET	57568	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:38.289963961 CET	53	57568	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:38.800327063 CET	54366	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:38.848335028 CET	53	54366	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:39.268102884 CET	57568	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:39.315892935 CET	53	57568	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:41.279442072 CET	57568	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:41.335787058 CET	53	57568	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:45.296365976 CET	57568	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:45.352533102 CET	53	57568	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:47.450515985 CET	53034	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:47.508745909 CET	53	53034	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:51.053227901 CET	57762	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:51.110755920 CET	53	57762	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:51.975824118 CET	55435	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:52.023802042 CET	53	55435	8.8.8.8	192.168.2.3
Jan 20, 2021 03:54:54.022315025 CET	50713	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:54:54.081486940 CET	53	50713	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:02.969752073 CET	56132	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:03.028991938 CET	53	56132	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:05.512104988 CET	58987	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:05.583679914 CET	53	58987	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:09.214670897 CET	56579	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:09.271351099 CET	53	56579	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:15.236490011 CET	60633	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:15.284336090 CET	53	60633	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:15.525748968 CET	61292	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:15.584012985 CET	53	61292	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:19.599678040 CET	63619	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:19.657581091 CET	53	63619	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:22.181852102 CET	64938	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:22.238539934 CET	53	64938	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:28.639046907 CET	61946	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:28.699803114 CET	53	61946	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:35.047111034 CET	64910	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:35.103317022 CET	53	64910	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:41.396301031 CET	52123	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:41.455311060 CET	53	52123	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:47.752219915 CET	56130	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:47.812983990 CET	53	56130	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:49.185046911 CET	56338	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:49.232865095 CET	53	56338	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:49.798393965 CET	59420	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:49.869008064 CET	53	59420	8.8.8.8	192.168.2.3
Jan 20, 2021 03:55:54.105278969 CET	58784	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:55:54.153218031 CET	53	58784	8.8.8.8	192.168.2.3
Jan 20, 2021 03:56:00.576467037 CET	63978	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:56:00.633006096 CET	53	63978	8.8.8.8	192.168.2.3
Jan 20, 2021 03:56:07.011157990 CET	62938	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:56:07.070544004 CET	53	62938	8.8.8.8	192.168.2.3
Jan 20, 2021 03:56:13.384819031 CET	55708	53	192.168.2.3	8.8.8.8
Jan 20, 2021 03:56:13.441323996 CET	53	55708	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 20, 2021 03:54:08.362644911 CET	192.168.2.3	8.8.8.8	0x64e8	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Jan 20, 2021 03:54:08.942565918 CET	192.168.2.3	8.8.8.8	0xaff6	Standard query (0)	rptj2g.sn.files.1drv.com	A (IP address)	IN (0x0001)
Jan 20, 2021 03:54:47.450515985 CET	192.168.2.3	8.8.8.8	0x690a	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:54:54.022315025 CET	192.168.2.3	8.8.8.8	0xb3dd	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:02.969752073 CET	192.168.2.3	8.8.8.8	0x23e	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:09.214670897 CET	192.168.2.3	8.8.8.8	0x15f8	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:15.525748968 CET	192.168.2.3	8.8.8.8	0xd3bb	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:22.181852102 CET	192.168.2.3	8.8.8.8	0xa3e3	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:28.639046907 CET	192.168.2.3	8.8.8.8	0xe619	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:35.047111034 CET	192.168.2.3	8.8.8.8	0xa1f4	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:41.396301031 CET	192.168.2.3	8.8.8.8	0x7d01	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:47.752219915 CET	192.168.2.3	8.8.8.8	0x24af	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:54.105278969 CET	192.168.2.3	8.8.8.8	0x52c0	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:56:00.576467037 CET	192.168.2.3	8.8.8.8	0x5f55	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:56:07.011157990 CET	192.168.2.3	8.8.8.8	0x5f4e	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Jan 20, 2021 03:56:13.384819031 CET	192.168.2.3	8.8.8.8	0xd468	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 20, 2021 03:54:08.413484097 CET	8.8.8.8	192.168.2.3	0x64e8	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 20, 2021 03:54:09.068635941 CET	8.8.8.8	192.168.2.3	0xaff6	No error (0)	rptj2g.sn.files.1drv.com	sn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Jan 20, 2021 03:54:09.068635941 CET	8.8.8.8	192.168.2.3	0xaff6	No error (0)	sn-files.fe.1drv.com	odc-sn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 20, 2021 03:54:47.508745909 CET	8.8.8.8	192.168.2.3	0x690a	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:54:54.081486940 CET	8.8.8.8	192.168.2.3	0xb3dd	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:03.028991938 CET	8.8.8.8	192.168.2.3	0x23e	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:09.271351099 CET	8.8.8.8	192.168.2.3	0x15f8	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:15.584012985 CET	8.8.8.8	192.168.2.3	0xd3bb	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:22.238539934 CET	8.8.8.8	192.168.2.3	0xa3e3	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:28.699803114 CET	8.8.8.8	192.168.2.3	0xe619	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:35.103317022 CET	8.8.8.8	192.168.2.3	0xa1f4	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:41.455311060 CET	8.8.8.8	192.168.2.3	0x7d01	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:47.812983990 CET	8.8.8.8	192.168.2.3	0x24af	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:55:54.153218031 CET	8.8.8.8	192.168.2.3	0x52c0	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:56:00.633006096 CET	8.8.8.8	192.168.2.3	0x5f55	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:56:07.070544004 CET	8.8.8.8	192.168.2.3	0x5f4e	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)
Jan 20, 2021 03:56:13.441323996 CET	8.8.8.8	192.168.2.3	0xd468	No error (0)	strongodss.ddns.net		194.5.98.120	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 5152 Parent PID: 792

General

Start time:	03:54:06
Start date:	20/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6ba4a0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: iexplore.exe PID: 5168 Parent PID: 5152

General

Start time:	03:54:06
Start date:	20/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5152 CREDAT:17410 /prefetch:2
Imagebase:	0xcd0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: unarchiver.exe PID: 3440 Parent PID: 5152

General

Start time:	03:54:23
Start date:	20/01/2021
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z'
Imagebase:	0xa30000
File size:	10240 bytes
MD5 hash:	8B435F8731563566F3F49203BA277865
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: 7za.exe PID: 4848 Parent PID: 3440

General

Start time:	03:54:24
Start date:	20/01/2021
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z'
Imagebase:	0x1280000
File size:	289792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 2024 Parent PID: 4848

General

Start time:	03:54:24
Start date:	20/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: cmd.exe PID: 5876 Parent PID: 3440

General

Start time:	03:54:25
Start date:	20/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 5776 Parent PID: 5876

General

Start time:	03:54:25
Start date:	20/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: FNYVlhLumPogrzL.exe PID: 2208 Parent PID: 5876

General

Start time:	03:54:25
Start date:	20/01/2021
Path:	C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe
Imagebase:	0x8c0000
File size:	1505792 bytes
MD5 hash:	E2369B4A4D2E2C7F1F8AF4F7743532E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.277584166.00000000030D1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: schtasks.exe PID: 1536 Parent PID: 2208

General

Start time:	03:54:39
Start date:	20/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp'
Imagebase:	0x1030000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 5744 Parent PID: 1536

General

Start time:	03:54:40
Start date:	20/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: RegSvcs.exe PID: 4912 Parent PID: 2208

General

Start time:	03:54:40
Start date:	20/01/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xd80000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.473292400.0000000005780000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.473292400.0000000005780000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.473627286.0000000006040000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.473627286.0000000006040000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.472189305.00000000043C2000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 4156 Parent PID: 4912

General

Start time:	03:54:42
Start date:	20/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D78.tmp'
Imagebase:	0x1030000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 4168 Parent PID: 4156

General

Start time:	03:54:43
Start date:	20/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: schtasks.exe PID: 5564 Parent PID: 4912

General

Start time:	03:54:43
Start date:	20/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81FD.tmp'
Imagebase:	0x1030000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 4840 Parent PID: 5564

General

Start time:	03:54:44
Start date:	20/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: RegSvcs.exe PID: 4868 Parent PID: 528

General

Start time:	03:54:45
Start date:	20/01/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Imagebase:	0x690000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: conhost.exe PID: 1180 Parent PID: 4868

General

Start time:	03:54:46
Start date:	20/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: dhcpmon.exe PID: 4120 Parent PID: 528

General

Start time:	03:54:45
Start date:	20/01/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0xea0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Analysis Process: conhost.exe PID: 3880 Parent PID: 4120

General

Start time:	03:54:46
Start date:	20/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://onedrive.live.com/download?cid=F9306F27ACC5AABA&resid=F9306F27ACC5AABA%21278&authkey=AEXuJUX0kEgNwa0

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Operating System Destruction:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 5152 Parent PID: 792

General

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre