Loading ...

Play interactive tourEdit tour

Analysis Report TdX45jQWjj.exe

Overview

General Information

Sample Name:TdX45jQWjj.exe
Analysis ID:356818
MD5:f261164b55c3be5c3c86150ff2a7cc27
SHA1:634a546e3841af29b068c7c6535206695eb704d0
SHA256:b40e22d33523ae869ba4a9a9159d37d61ec056fc14dc3db7406d79620b801816
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TdX45jQWjj.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\TdX45jQWjj.exe' MD5: F261164B55C3BE5C3C86150FF2A7CC27)
    • schtasks.exe (PID: 6004 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 3012 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • schtasks.exe (PID: 6936 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6668 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 6716 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6808 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 3028 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xc136d:$x1: NanoCore.ClientPluginHost
  • 0xc13aa:$x2: IClientNetworkHost
  • 0xc4edd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xc10d5:$a: NanoCore
    • 0xc10e5:$a: NanoCore
    • 0xc1319:$a: NanoCore
    • 0xc132d:$a: NanoCore
    • 0xc136d:$a: NanoCore
    • 0xc1134:$b: ClientPlugin
    • 0xc1336:$b: ClientPlugin
    • 0xc1376:$b: ClientPlugin
    • 0xc125b:$c: ProjectData
    • 0xc1c62:$d: DESCrypto
    • 0xc962e:$e: KeepAlive
    • 0xc761c:$g: LogClientMessage
    • 0xc3817:$i: get_Connected
    • 0xc1f98:$j: #=q
    • 0xc1fc8:$j: #=q
    • 0xc1fe4:$j: #=q
    • 0xc2014:$j: #=q
    • 0xc2030:$j: #=q
    • 0xc204c:$j: #=q
    • 0xc207c:$j: #=q
    • 0xc2098:$j: #=q
    00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x251a25:$x1: NanoCore.ClientPluginHost
    • 0x251a62:$x2: IClientNetworkHost
    • 0x255595:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.RegSvcs.exe.2ef16fc.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x40c2:$x1: NanoCore.ClientPluginHost
      8.2.RegSvcs.exe.2ef16fc.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x40c2:$x2: NanoCore.ClientPluginHost
      • 0x41a0:$s4: PipeCreated
      • 0x40dc:$s5: IClientLoggingHost
      8.2.RegSvcs.exe.3f2ec9e.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x4083:$x1: NanoCore.ClientPluginHost
      8.2.RegSvcs.exe.3f2ec9e.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x4083:$x2: NanoCore.ClientPluginHost
      • 0x4161:$s4: PipeCreated
      • 0x409d:$s5: IClientLoggingHost
      8.2.RegSvcs.exe.5b90000.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1646:$x1: NanoCore.ClientPluginHost
      Click to see the 47 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 3012, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TdX45jQWjj.exe' , ParentImage: C:\Users\user\Desktop\TdX45jQWjj.exe, ParentProcessId: 6960, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp', ProcessId: 6004

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: strongodss.ddns.netVirustotal: Detection: 8%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\RTOqzQABo.exeReversingLabs: Detection: 18%
      Multi AV Scanner detection for submitted fileShow sources
      Source: TdX45jQWjj.exeReversingLabs: Detection: 18%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE
      Source: 8.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 8.2.RegSvcs.exe.5ba0000.11.unpackAvira: Label: TR/NanoCore.fadte

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: TdX45jQWjj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Uses new MSVCR DllsShow sources
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
      Source: TdX45jQWjj.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000008.00000002.598166054.0000000002EE1000.00000004.00000001.sdmp
      Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: RegSvcs.exe, 0000000E.00000002.406605593.0000000004A70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.414673187.0000000005020000.00000002.00000001.sdmp
      Source: Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
      Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
      Source: Binary string: mscorrc.pdb source: TdX45jQWjj.exe, 00000000.00000002.406858007.0000000008610000.00000002.00000001.sdmp, RegSvcs.exe, 00000008.00000002.602087565.00000000058A0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407150676.0000000004B20000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407442223.00000000050F0000.00000002.00000001.sdmp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4x nop then mov esp, ebp

      Networking:

      barindex
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 79.134.225.43 ports 0,1,3,58103,5,8
      Source: global trafficTCP traffic: 87.237.165.78 ports 0,1,3,58103,5,8
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: strongodss.ddns.net
      Source: global trafficTCP traffic: 192.168.2.6:49728 -> 87.237.165.78:58103
      Source: global trafficTCP traffic: 192.168.2.6:49733 -> 79.134.225.43:58103
      Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownDNS traffic detected: queries for: strongodss.ddns.net
      Source: TdX45jQWjj.exeString found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
      Source: TdX45jQWjj.exeString found in binary or memory: http://code.google.com/p/topicalmemorysystem/
      Source: TdX45jQWjj.exe, 00000000.00000003.330218742.000000000559D000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: TdX45jQWjj.exeString found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: TdX45jQWjj.exeString found in binary or memory: http://www.biblegateway.com/passage/?search=
      Source: TdX45jQWjj.exeString found in binary or memory: http://www.biblija.net/biblija.cgi?m=
      Source: TdX45jQWjj.exeString found in binary or memory: http://www.blueletterbible.org/Bible.cfm?b=
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: TdX45jQWjj.exeString found in binary or memory: http://www.esvstudybible.org/search?q=
      Source: TdX45jQWjj.exeString found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: TdX45jQWjj.exe, 00000000.00000003.337840613.000000000557F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/f
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comC
      Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comH
      Source: TdX45jQWjj.exe, 00000000.00000002.395767153.0000000005560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
      Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
      Source: TdX45jQWjj.exe, 00000000.00000002.395767153.0000000005560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldco
      Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiefd
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: TdX45jQWjj.exe, 00000000.00000003.329977481.000000000559D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comW
      Source: TdX45jQWjj.exe, 00000000.00000003.333029459.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: TdX45jQWjj.exe, 00000000.00000003.331982815.0000000005563000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn4
      Source: TdX45jQWjj.exe, 00000000.00000003.332432427.0000000005571000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnW
      Source: TdX45jQWjj.exe, 00000000.00000003.332121914.0000000005563000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-d
      Source: TdX45jQWjj.exe, 00000000.00000003.332432427.0000000005571000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnf
      Source: TdX45jQWjj.exe, 00000000.00000003.332121914.0000000005563000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-t
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000003.335447637.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
      Source: TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
      Source: TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com.
      Source: TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn-u
      Source: TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt-b
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: TdX45jQWjj.exe, 00000000.00000003.335896168.0000000005572000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com8
      Source: TdX45jQWjj.exe, 00000000.00000003.336154433.0000000005572000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comX
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: TdX45jQWjj.exe, 00000000.00000003.334600510.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com0
      Source: TdX45jQWjj.exe, 00000000.00000003.332995890.000000000556B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com6
      Source: TdX45jQWjj.exe, 00000000.00000003.334600510.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comicx
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: TdX45jQWjj.exe, 00000000.00000003.342496493.000000000557F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
      Source: TdX45jQWjj.exe, 00000000.00000003.342118309.000000000557F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de&
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: TdX45jQWjj.exe, 00000000.00000003.342496493.000000000557F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deF0
      Source: TdX45jQWjj.exe, 00000000.00000003.337611054.000000000557F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deas
      Source: TdX45jQWjj.exe, 00000000.00000003.337507075.000000000557F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deq
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: TdX45jQWjj.exe, 00000000.00000002.389051570.0000000001170000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: RegSvcs.exe, 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE

      Operating System Destruction:

      barindex
      Protects its processes via BreakOnTermination flagShow sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: 01 00 00 00

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RegSvcs.exe.2ef16fc.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.5b90000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.5900000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.2ef16fc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.2ef6578.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D1836 NtQuerySystemInformation,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D1572 NtSetInformationProcess,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D1541 NtSetInformationProcess,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D17FB NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015DA150
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D38C0
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015DA140
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D45F8
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D483F
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D38B0
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D6307
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D4608
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_06D47484
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_06D407C4
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D029F
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D02B0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_011E7ABE
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A3850
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050AB748
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A2FA8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A23A0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A9A78
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A8E78
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A306F
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050AA320
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A9B3F
      Source: TdX45jQWjj.exe, 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exe, 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exe, 00000000.00000002.405108942.00000000067C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exe, 00000000.00000002.407955141.0000000008C90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exe, 00000000.00000002.406858007.0000000008610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exe, 00000000.00000002.408876294.0000000008D80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exe, 00000000.00000002.408876294.0000000008D80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exeBinary or memory string: OriginalFilename vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RegSvcs.exe.2ef16fc.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.2ef16fc.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.5b90000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.5b90000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.5900000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.5900000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.2ef16fc.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.2ef16fc.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.2ef6578.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.2ef6578.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@18/13@10/2
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D13F6 AdjustTokenPrivileges,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D13BF AdjustTokenPrivileges,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeFile created: C:\Users\user\AppData\Roaming\RTOqzQABo.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_01
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeMutant created: \Sessions\1\BaseNamedObjects\ebczztAXVVdyft
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{572eb7a9-aedf-4b39-8669-f7563dab8a38}
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeFile created: C:\Users\user\AppData\Local\Temp\tmp84A9.tmpJump to behavior
      Source: TdX45jQWjj.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: TdX45jQWjj.exeReversingLabs: Detection: 18%
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeFile read: C:\Users\user\Desktop\TdX45jQWjj.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\TdX45jQWjj.exe 'C:\Users\user\Desktop\TdX45jQWjj.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp'
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp'
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: TdX45jQWjj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: TdX45jQWjj.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000008.00000002.598166054.0000000002EE1000.00000004.00000001.sdmp
      Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: RegSvcs.exe, 0000000E.00000002.406605593.0000000004A70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.414673187.0000000005020000.00000002.00000001.sdmp
      Source: Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
      Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
      Source: Binary string: mscorrc.pdb source: TdX45jQWjj.exe, 00000000.00000002.406858007.0000000008610000.00000002.00000001.sdmp, RegSvcs.exe, 00000008.00000002.602087565.00000000058A0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407150676.0000000004B20000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407442223.00000000050F0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_011EAE1B push cs; retf
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_011EAD34 push cs; retf
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_011E74B8 push ebp; ret
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_011E74AC push ecx; ret
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_011EADA8 push cs; retf
      Source: initial sampleStatic PE information: section name: .text entropy: 6.88263810957
      Source: initial sampleStatic PE information: section name: .text entropy: 6.88263810957
      Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeFile created: C:\Users\user\AppData\Roaming\RTOqzQABo.exeJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME<
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: TdX45jQWjj.exe, 00000000.00000002.392822198.0000000003654000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_01108340 sldt word ptr [eax]
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 734
      Source: C:\Users\user\Desktop\TdX45jQWjj.exe TID: 6984Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7104Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4632Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D161A GetSystemInfo,
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware Tools<
      Source: TdX45jQWjj.exe, 00000000.00000003.388341495.0000000001203000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II<
      Source: RegSvcs.exe, 00000008.00000003.403350534.0000000000DFA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
      Source: RegSvcs.exe, 00000008.00000002.602591369.0000000006460000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407440709.0000000004B80000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407708649.0000000005150000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: kr&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\<
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: krA"SOFTWARE\VMware, Inc.\VMware Tools
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: kr%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: TdX45jQWjj.exe, 00000000.00000003.388341495.0000000001203000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareLN81D5VWWin32_VideoControllerU8Y22OM9VideoController120060621000000.000000-00059181677display.infMSBDACPYZYXKEPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsNZ4_DGR8
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: VMWARE<
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: kr87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: kr"SOFTWARE\VMware, Inc.\VMware Tools
      Source: TdX45jQWjj.exe, 00000000.00000003.388341495.0000000001203000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareLN81D5VWWin3
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: QEMU<
      Source: RegSvcs.exe, 00000008.00000002.602591369.0000000006460000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407440709.0000000004B80000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407708649.0000000005150000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: RegSvcs.exe, 00000008.00000002.602591369.0000000006460000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407440709.0000000004B80000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407708649.0000000005150000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmpBinary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware ToolsH
      Source: RegSvcs.exe, 00000008.00000002.602591369.0000000006460000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407440709.0000000004B80000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407708649.0000000005150000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: A39008
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp'
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp'
      Source: RegSvcs.exe, 00000008.00000003.455367738.0000000000E0F000.00000004.00000001.sdmpBinary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exegSvcs.exe
      Source: RegSvcs.exe, 00000008.00000002.599974764.000000000312D000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: RegSvcs.exe, 00000008.00000002.597160174.0000000001690000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: RegSvcs.exe, 00000008.00000002.597160174.0000000001690000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: RegSvcs.exe, 00000008.00000003.455302856.0000000000DBF000.00000004.00000001.sdmpBinary or memory string: Program Manager4}
      Source: RegSvcs.exe, 00000008.00000002.597160174.0000000001690000.00000002.00000001.sdmpBinary or memory string: &Program Manager
      Source: RegSvcs.exe, 00000008.00000003.532563250.0000000000DBF000.00000004.00000001.sdmpBinary or memory string: Program Managerx
      Source: RegSvcs.exe, 00000008.00000002.597160174.0000000001690000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_0679195A GetUserNameA,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: TdX45jQWjj.exe, 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000008.00000002.598166054.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000008.00000002.598166054.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000008.00000002.598166054.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D2B26 bind,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D2AF6 bind,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture21Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection312Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing12NTDSSecurity Software Discovery311Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsVirtualization/Sandbox Evasion14SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion14Cached Domain CredentialsProcess Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection312Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356818 Sample: TdX45jQWjj.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 52 strongodss.ddns.net 2->52 58 Multi AV Scanner detection for domain / URL 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 11 other signatures 2->64 9 TdX45jQWjj.exe 6 2->9         started        13 RegSvcs.exe 4 2->13         started        15 dhcpmon.exe 4 2->15         started        17 dhcpmon.exe 3 2->17         started        signatures3 process4 file5 46 C:\Users\user\AppData\Roaming\RTOqzQABo.exe, PE32 9->46 dropped 48 C:\Users\user\AppData\Local\...\tmp84A9.tmp, XML 9->48 dropped 50 C:\Users\user\AppData\...\TdX45jQWjj.exe.log, ASCII 9->50 dropped 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->70 72 Writes to foreign memory regions 9->72 74 Allocates memory in foreign processes 9->74 76 Injects a PE file into a foreign processes 9->76 19 RegSvcs.exe 1 13 9->19         started        24 schtasks.exe 1 9->24         started        26 conhost.exe 13->26         started        28 conhost.exe 15->28         started        30 conhost.exe 17->30         started        signatures6 process7 dnsIp8 54 strongodss.ddns.net 87.237.165.78, 49728, 49729, 49730 MTVHGB Russian Federation 19->54 56 79.134.225.43, 49733, 49734, 49737 FINK-TELECOM-SERVICESCH Switzerland 19->56 42 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->42 dropped 44 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->44 dropped 66 Protects its processes via BreakOnTermination flag 19->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->68 32 schtasks.exe 1 19->32         started        34 schtasks.exe 1 19->34         started        36 conhost.exe 24->36         started        file9 signatures10 process11 process12 38 conhost.exe 32->38         started        40 conhost.exe 34->40         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      TdX45jQWjj.exe19%ReversingLabsWin32.Trojan.AgentTesla

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
      C:\Users\user\AppData\Roaming\RTOqzQABo.exe19%ReversingLabsWin32.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      8.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      8.2.RegSvcs.exe.5ba0000.11.unpack100%AviraTR/NanoCore.fadteDownload File

      Domains

      SourceDetectionScannerLabelLink
      strongodss.ddns.net8%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.sajatypeworks.com.0%VirustotalBrowse
      http://www.sajatypeworks.com.0%Avira URL Cloudsafe
      http://www.tiro.com60%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cnW0%Avira URL Cloudsafe
      http://www.sajatypeworks.comn-u0%Avira URL Cloudsafe
      http://www.tiro.com00%Avira URL Cloudsafe
      http://www.founder.com.cn/cna-d0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=0%Avira URL Cloudsafe
      http://www.founder.c0%URL Reputationsafe
      http://www.founder.c0%URL Reputationsafe
      http://www.founder.c0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://topicalmemorysystem.googlecode.com/files/0%Avira URL Cloudsafe
      http://www.fontbureau.comalsF0%URL Reputationsafe
      http://www.fontbureau.comalsF0%URL Reputationsafe
      http://www.fontbureau.comalsF0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cnr-t0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.urwpp.de&0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.urwpp.de0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.founder.com.cn/cnf0%Avira URL Cloudsafe
      http://www.sajatypeworks.comt-b0%Avira URL Cloudsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.fontbureau.com.TTF0%URL Reputationsafe
      http://www.fontbureau.com.TTF0%URL Reputationsafe
      http://www.fontbureau.com.TTF0%URL Reputationsafe
      http://www.sakkal.comX0%Avira URL Cloudsafe
      http://www.fontbureau.comC0%Avira URL Cloudsafe
      http://www.tiro.comicx0%Avira URL Cloudsafe
      http://www.fontbureau.comsiefd0%Avira URL Cloudsafe
      http://www.fontbureau.comH0%Avira URL Cloudsafe
      http://www.urwpp.deas0%Avira URL Cloudsafe
      http://www.esvstudybible.org/search?q=0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/C0%Avira URL Cloudsafe
      http://www.urwpp.deF00%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.fontbureau.coma0%URL Reputationsafe
      http://www.fontbureau.coma0%URL Reputationsafe
      http://www.fontbureau.coma0%URL Reputationsafe
      http://www.fonts.comW0%Avira URL Cloudsafe
      http://www.sakkal.com80%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.urwpp.deq0%Avira URL Cloudsafe
      http://www.fontbureau.comldco0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.founder.com.cn/cn40%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      strongodss.ddns.net
      87.237.165.78
      truetrueunknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.sajatypeworks.com.TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      http://www.fontbureau.com/designersGTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
        high
        http://www.fontbureau.com/designers/?TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
          high
          http://www.tiro.com6TdX45jQWjj.exe, 00000000.00000003.332995890.000000000556B000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.founder.com.cn/cn/bTheTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.founder.com.cn/cnWTdX45jQWjj.exe, 00000000.00000003.332432427.0000000005571000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.fontbureau.com/designers?TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
            high
            http://www.sajatypeworks.comn-uTdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.tiro.com0TdX45jQWjj.exe, 00000000.00000003.334600510.000000000557B000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.founder.com.cn/cna-dTdX45jQWjj.exe, 00000000.00000003.332121914.0000000005563000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.tiro.comTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=TdX45jQWjj.exefalse
            • Avira URL Cloud: safe
            unknown
            http://www.fontbureau.com/designersTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
              high
              http://www.founder.cTdX45jQWjj.exe, 00000000.00000003.333029459.0000000005566000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.goodfont.co.krTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://topicalmemorysystem.googlecode.com/files/TdX45jQWjj.exefalse
              • Avira URL Cloud: safe
              unknown
              http://www.fontbureau.comalsFTdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.sajatypeworks.comTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.typography.netDTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.founder.com.cn/cn/cTheTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.galapagosdesign.com/staff/dennis.htmTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://fontfabrik.comTdX45jQWjj.exe, 00000000.00000003.330218742.000000000559D000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.blueletterbible.org/Bible.cfm?b=TdX45jQWjj.exefalse
                high
                http://www.founder.com.cn/cnr-tTdX45jQWjj.exe, 00000000.00000003.332121914.0000000005563000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.galapagosdesign.com/DPleaseTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.urwpp.de&TdX45jQWjj.exe, 00000000.00000003.342118309.000000000557F000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://www.fonts.comTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                  high
                  http://www.sandoll.co.krTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.urwpp.deDPleaseTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.urwpp.deTdX45jQWjj.exe, 00000000.00000003.342496493.000000000557F000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.zhongyicts.com.cnTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.founder.com.cn/cnfTdX45jQWjj.exe, 00000000.00000003.332432427.0000000005571000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.sajatypeworks.comt-bTdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.sakkal.comTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com.TTFTdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.sakkal.comXTdX45jQWjj.exe, 00000000.00000003.336154433.0000000005572000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.fontbureau.comCTdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.tiro.comicxTdX45jQWjj.exe, 00000000.00000003.334600510.000000000557B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.apache.org/licenses/LICENSE-2.0TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                    high
                    http://www.fontbureau.comTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                      high
                      http://www.fontbureau.comsiefdTdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fontbureau.comHTdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.biblegateway.com/passage/?search=TdX45jQWjj.exefalse
                        high
                        http://www.urwpp.deasTdX45jQWjj.exe, 00000000.00000003.337611054.000000000557F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.esvstudybible.org/search?q=TdX45jQWjj.exefalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.jiyu-kobo.co.jp/CTdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.urwpp.deF0TdX45jQWjj.exe, 00000000.00000003.342496493.000000000557F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.jiyu-kobo.co.jp/jp/TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.comaTdX45jQWjj.exe, 00000000.00000002.395767153.0000000005560000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fonts.comWTdX45jQWjj.exe, 00000000.00000003.329977481.000000000559D000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.biblija.net/biblija.cgi?m=TdX45jQWjj.exefalse
                          high
                          http://www.sakkal.com8TdX45jQWjj.exe, 00000000.00000003.335896168.0000000005572000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.carterandcone.comlTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                            high
                            http://www.founder.com.cn/cnTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlTdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                              high
                              http://www.urwpp.deqTdX45jQWjj.exe, 00000000.00000003.337507075.000000000557F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.comldcoTdX45jQWjj.exe, 00000000.00000002.395767153.0000000005560000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.jiyu-kobo.co.jp/TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000003.335447637.0000000005566000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cn4TdX45jQWjj.exe, 00000000.00000003.331982815.0000000005563000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.com/designers8TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpfalse
                                high
                                http://www.jiyu-kobo.co.jp/dTdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/fTdX45jQWjj.exe, 00000000.00000003.337840613.000000000557F000.00000004.00000001.sdmpfalse
                                  high

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  87.237.165.78
                                  unknownRussian Federation
                                  49967MTVHGBtrue
                                  79.134.225.43
                                  unknownSwitzerland
                                  6775FINK-TELECOM-SERVICESCHtrue

                                  General Information

                                  Joe Sandbox Version:31.0.0 Emerald
                                  Analysis ID:356818
                                  Start date:23.02.2021
                                  Start time:17:16:26
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 10m 5s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:TdX45jQWjj.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:34
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@18/13@10/2
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 1.7% (good quality ratio 1.2%)
                                  • Quality average: 43%
                                  • Quality standard deviation: 34.1%
                                  HCA Information:
                                  • Successful, ratio: 98%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                  • TCP Packets have been reduced to 100
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 13.64.90.137, 23.211.6.115, 52.255.188.83, 104.43.139.144, 104.43.193.48, 168.61.161.212, 51.104.139.180, 8.248.131.254, 8.253.207.121, 8.253.204.121, 67.26.73.254, 8.248.137.254, 51.103.5.159, 52.155.217.156, 92.122.213.247, 92.122.213.194, 20.54.26.129, 184.30.24.56
                                  • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  17:17:26API Interceptor2x Sleep call for process: TdX45jQWjj.exe modified
                                  17:17:47API Interceptor749x Sleep call for process: RegSvcs.exe modified
                                  17:17:47AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  17:17:48Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
                                  17:17:48Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  79.134.225.43JfRbEbUkpV39K4L.exeGet hashmaliciousBrowse
                                    Dachser Consulta de cliente saliente no. 000150849 - SKBMT03082020-0012-IMG0149.exeGet hashmaliciousBrowse
                                      290453721.xlsGet hashmaliciousBrowse
                                        nUo0FukkVO.xlsGet hashmaliciousBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          MTVHGBQUOTATION 19 01 2021.exeGet hashmaliciousBrowse
                                          • 87.237.165.162
                                          FINK-TELECOM-SERVICESCHe92b274943f4a3a557881ee0dd57772d.exeGet hashmaliciousBrowse
                                          • 79.134.225.105
                                          WxTm2cWLHF.exeGet hashmaliciousBrowse
                                          • 79.134.225.71
                                          Payment Confirmation.exeGet hashmaliciousBrowse
                                          • 79.134.225.30
                                          rjHlt1zz28.exeGet hashmaliciousBrowse
                                          • 79.134.225.49
                                          Deadly Variants of Covid 19.docGet hashmaliciousBrowse
                                          • 79.134.225.49
                                          document.exeGet hashmaliciousBrowse
                                          • 79.134.225.122
                                          5293ea9467ea45e928620a5ed74440f5.exeGet hashmaliciousBrowse
                                          • 79.134.225.105
                                          f1a14e6352036833f1c109e1bb2934f2.exeGet hashmaliciousBrowse
                                          • 79.134.225.105
                                          256ec8f8f67b59c5e085b0bb63afcd13.exeGet hashmaliciousBrowse
                                          • 79.134.225.105
                                          JOIN.exeGet hashmaliciousBrowse
                                          • 79.134.225.30
                                          Delivery pdf.exeGet hashmaliciousBrowse
                                          • 79.134.225.25
                                          d88e07467ddcf9e3b19fa972b9f000d1.exeGet hashmaliciousBrowse
                                          • 79.134.225.105
                                          fnfqzfwC44.exeGet hashmaliciousBrowse
                                          • 79.134.225.25
                                          Solicitud de oferta 6100003768.exeGet hashmaliciousBrowse
                                          • 79.134.225.96
                                          Nrfgylra.exeGet hashmaliciousBrowse
                                          • 79.134.225.96
                                          HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                          • 79.134.225.62
                                          HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                          • 79.134.225.62
                                          HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                          • 79.134.225.62
                                          Form pdf.exeGet hashmaliciousBrowse
                                          • 79.134.225.25
                                          Quotation 3342688.exeGet hashmaliciousBrowse
                                          • 79.134.225.120

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exea34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exeGet hashmaliciousBrowse
                                            3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exeGet hashmaliciousBrowse
                                              Vietnam Order.exeGet hashmaliciousBrowse
                                                Dhl Shipping Document.exeGet hashmaliciousBrowse
                                                  PO-WJO-001, pdf.exeGet hashmaliciousBrowse
                                                    byWuWAR5FD.exeGet hashmaliciousBrowse
                                                      parcel_images.exeGet hashmaliciousBrowse
                                                        0712020.exeGet hashmaliciousBrowse
                                                          JfRbEbUkpV39K4L.exeGet hashmaliciousBrowse
                                                            DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exeGet hashmaliciousBrowse
                                                              DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exeGet hashmaliciousBrowse
                                                                zC3edqmNNt.exeGet hashmaliciousBrowse
                                                                  Shipping Document.pdf..exeGet hashmaliciousBrowse
                                                                    PPR & CPR_HEA_DECEMBER 4 2020.exeGet hashmaliciousBrowse
                                                                      AdministratorDownloadsBL,.rar.exeGet hashmaliciousBrowse
                                                                        signed_19272.zip(#U007e18 KB) (2).exeGet hashmaliciousBrowse
                                                                          TT Swift Copy..,.exeGet hashmaliciousBrowse
                                                                            Invoice-.exeGet hashmaliciousBrowse
                                                                              Invoice..,.exeGet hashmaliciousBrowse
                                                                                Bank Update Info.exeGet hashmaliciousBrowse

                                                                                  Created / dropped Files

                                                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):3.7515815714465193
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
                                                                                  MD5:71369277D09DA0830C8C59F9E22BB23A
                                                                                  SHA1:37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
                                                                                  SHA-256:D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
                                                                                  SHA-512:2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe, Detection: malicious, Browse
                                                                                  • Filename: 3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exe, Detection: malicious, Browse
                                                                                  • Filename: Vietnam Order.exe, Detection: malicious, Browse
                                                                                  • Filename: Dhl Shipping Document.exe, Detection: malicious, Browse
                                                                                  • Filename: PO-WJO-001, pdf.exe, Detection: malicious, Browse
                                                                                  • Filename: byWuWAR5FD.exe, Detection: malicious, Browse
                                                                                  • Filename: parcel_images.exe, Detection: malicious, Browse
                                                                                  • Filename: 0712020.exe, Detection: malicious, Browse
                                                                                  • Filename: JfRbEbUkpV39K4L.exe, Detection: malicious, Browse
                                                                                  • Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse
                                                                                  • Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse
                                                                                  • Filename: zC3edqmNNt.exe, Detection: malicious, Browse
                                                                                  • Filename: Shipping Document.pdf..exe, Detection: malicious, Browse
                                                                                  • Filename: PPR & CPR_HEA_DECEMBER 4 2020.exe, Detection: malicious, Browse
                                                                                  • Filename: AdministratorDownloadsBL,.rar.exe, Detection: malicious, Browse
                                                                                  • Filename: signed_19272.zip(#U007e18 KB) (2).exe, Detection: malicious, Browse
                                                                                  • Filename: TT Swift Copy..,.exe, Detection: malicious, Browse
                                                                                  • Filename: Invoice-.exe, Detection: malicious, Browse
                                                                                  • Filename: Invoice..,.exe, Detection: malicious, Browse
                                                                                  • Filename: Bank Update Info.exe, Detection: malicious, Browse
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):120
                                                                                  Entropy (8bit):5.016405576253028
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
                                                                                  MD5:50DEC1858E13F033E6DCA3CBFAD5E8DE
                                                                                  SHA1:79AE1E9131B0FAF215B499D2F7B4C595AA120925
                                                                                  SHA-256:14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
                                                                                  SHA-512:1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
                                                                                  Malicious:false
                                                                                  Preview: 1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\TdX45jQWjj.exe.log
                                                                                  Process:C:\Users\user\Desktop\TdX45jQWjj.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):655
                                                                                  Entropy (8bit):5.273171405160065
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9t0U2WUXBQav:MLF20NaL329hJ5g522rWz2p29XBT
                                                                                  MD5:2703120C370FBB4A8BA08C6D1754039E
                                                                                  SHA1:EC0DB47BF00A4A828F796147619386C0BBEA66A1
                                                                                  SHA-256:F95566974BC44F3A757CAFB1456D185D8F333AC84775089DE18310B90C18B1BC
                                                                                  SHA-512:BC05A2A1BE5B122FC6D3DEA66EF4258522F13351B9754378395AAD019631E312CFD3BC990F3E3D5C7BB0BDBA1EAD54A2B34A96DEE2FCCD703721E98F6192ED48
                                                                                  Malicious:true
                                                                                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..
                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):120
                                                                                  Entropy (8bit):5.016405576253028
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
                                                                                  MD5:50DEC1858E13F033E6DCA3CBFAD5E8DE
                                                                                  SHA1:79AE1E9131B0FAF215B499D2F7B4C595AA120925
                                                                                  SHA-256:14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
                                                                                  SHA-512:1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
                                                                                  Malicious:false
                                                                                  Preview: 1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                  C:\Users\user\AppData\Local\Temp\tmp84A9.tmp
                                                                                  Process:C:\Users\user\Desktop\TdX45jQWjj.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1654
                                                                                  Entropy (8bit):5.164840508589519
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3GNtn:cbha7JlNQV/rydbz9I3YODOLNdq3m
                                                                                  MD5:96AE2E087DAE15CE7270C5FB8128CC1E
                                                                                  SHA1:F3F852F3B0134DCB9B3E3F0DB1901E0462CE9930
                                                                                  SHA-256:BB20A3526C68DB79050BC2325F6C3DD8AA632A70453916E5BA989EBC9CCC3201
                                                                                  SHA-512:135FF3B63071F8B48191E42B6EA6500429CC3969D675120173EF1DDEBE64DC448F3F4FA6DFFBA45D4CDC1EBB07B909C8DEB5DD3899CEA9A746A862727E91F55F
                                                                                  Malicious:true
                                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                                                  C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1320
                                                                                  Entropy (8bit):5.135021273392143
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
                                                                                  MD5:40B11EF601FB28F9B2E69D36857BF2EC
                                                                                  SHA1:B6454020AD2CEED193F4792B77001D0BD741B370
                                                                                  SHA-256:C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
                                                                                  SHA-512:E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
                                                                                  Malicious:false
                                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                  C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1310
                                                                                  Entropy (8bit):5.109425792877704
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                                  Malicious:false
                                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                  File Type:ISO-8859 text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):8
                                                                                  Entropy (8bit):2.75
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:cg99t:cgF
                                                                                  MD5:BC4D62E76C99B9DA2A2D11CAA27D85C5
                                                                                  SHA1:FEBCC76A90A831BC18602642DA89F8A119A97791
                                                                                  SHA-256:3F30A21FD0FBCF36E808D2B80AA932C54E57D6E82497C9219329DBE4F2018B41
                                                                                  SHA-512:BBFD205513B3BF65D77F9ECF4C48A1F34324F9748C43005269F7E3D1934ECE2380CC7ACCBAAAA5BC398C6CD91B43A446072B30F91775D0C1101CC1321C0C52B4
                                                                                  Malicious:true
                                                                                  Preview: b.'.a..H
                                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):57
                                                                                  Entropy (8bit):4.795707286467131
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:oMty8WbSX/MNn:oMLWus
                                                                                  MD5:D685103573539B7E9FDBF5F1D7DD96CE
                                                                                  SHA1:4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
                                                                                  SHA-256:D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
                                                                                  SHA-512:17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
                                                                                  Malicious:false
                                                                                  Preview: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                  C:\Users\user\AppData\Roaming\RTOqzQABo.exe
                                                                                  Process:C:\Users\user\Desktop\TdX45jQWjj.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):724480
                                                                                  Entropy (8bit):6.873898218108219
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:4U1KZEwKE03lKYxU/3JHrcnfgqIxI9f105FnYGK53:4U1bE03lpS3JLcnf3e+y59S53
                                                                                  MD5:F261164B55C3BE5C3C86150FF2A7CC27
                                                                                  SHA1:634A546E3841AF29B068C7C6535206695EB704D0
                                                                                  SHA-256:B40E22D33523AE869BA4A9A9159D37D61EC056FC14DC3DB7406D79620B801816
                                                                                  SHA-512:2E082DF070977B7884D7E40E4811C1BE215872681A4E2120E3035805850DCE52D886EF923E0B8D9B96819AC5532E1209CB1B39E1CBD1E24C552B6DA593EF7AEE
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 19%
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.4`..............0.............."... ...@....@.. ....................................@.................................d"..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................."......H.......,[...............C..H..............................................}.....(.......(......{....r...p~/...(....o......{....o....&*..0............r...p(....&......o....&...*...................n..t.....o......{....o....&*.....(.....*~..{....o......{....o....(.....*.0..+.........,..{.......+....,...{....o........(.....*..0............s ...}.........(!...s".....s#...}.....s$...}.....s$...}......{....s%...}.....s&...}.....s$...}.....s$...}.....s'...}.....{....o(.....{....o(..
                                                                                  \Device\ConDrv
                                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1145
                                                                                  Entropy (8bit):4.462201512373672
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
                                                                                  MD5:46EBEB88876A00A52CC37B1F8E0D0438
                                                                                  SHA1:5E5DB352F964E5F398301662FF558BD905798A65
                                                                                  SHA-256:D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
                                                                                  SHA-512:E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
                                                                                  Malicious:false
                                                                                  Preview: Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):6.873898218108219
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  File name:TdX45jQWjj.exe
                                                                                  File size:724480
                                                                                  MD5:f261164b55c3be5c3c86150ff2a7cc27
                                                                                  SHA1:634a546e3841af29b068c7c6535206695eb704d0
                                                                                  SHA256:b40e22d33523ae869ba4a9a9159d37d61ec056fc14dc3db7406d79620b801816
                                                                                  SHA512:2e082df070977b7884d7e40e4811c1be215872681a4e2120e3035805850dce52d886ef923e0b8d9b96819ac5532e1209cb1b39e1cbd1e24c552b6da593ef7aee
                                                                                  SSDEEP:12288:4U1KZEwKE03lKYxU/3JHrcnfgqIxI9f105FnYGK53:4U1bE03lpS3JLcnf3e+y59S53
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.4`..............0.............."... ...@....@.. ....................................@................................

                                                                                  File Icon

                                                                                  Icon Hash:00828e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x4b22b6
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                  Time Stamp:0x6034B054 [Tue Feb 23 07:35:48 2021 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:v2.0.50727
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb22640x4f.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x5bc.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000xb02bc0xb0400False0.647197750443data6.88263810957IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0xb40000x5bc0x600False0.429036458333data4.1755308999IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0xb60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_VERSION0xb40900x32cdata
                                                                                  RT_MANIFEST0xb43cc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Version Infos

                                                                                  DescriptionData
                                                                                  Translation0x0000 0x04b0
                                                                                  LegalCopyrightCopyright 2016
                                                                                  Assembly Version1.0.0.0
                                                                                  InternalNameyKpW14.exe
                                                                                  FileVersion1.0.0.0
                                                                                  CompanyName
                                                                                  LegalTrademarks
                                                                                  Comments
                                                                                  ProductNameCore.Numero
                                                                                  ProductVersion1.0.0.0
                                                                                  FileDescriptionCore.Numero
                                                                                  OriginalFilenameyKpW14.exe

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Feb 23, 2021 17:17:49.816740036 CET4972858103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:17:49.866312027 CET581034972887.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:17:50.469731092 CET4972858103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:17:50.518347025 CET581034972887.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:17:51.167937994 CET4972858103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:17:51.216872931 CET581034972887.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:17:56.111509085 CET4972958103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:17:56.160279036 CET581034972987.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:17:56.668401003 CET4972958103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:17:56.719479084 CET581034972987.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:17:57.358163118 CET4972958103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:17:57.408514023 CET581034972987.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:01.533585072 CET4973058103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:01.582025051 CET581034973087.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:02.090732098 CET4973058103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:02.139506102 CET581034973087.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:02.653309107 CET4973058103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:02.701766014 CET581034973087.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:06.780617952 CET4973358103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:06.863351107 CET581034973379.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:07.372442961 CET4973358103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:07.452433109 CET581034973379.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:07.966236115 CET4973358103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:08.046123981 CET581034973379.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:12.063834906 CET4973458103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:12.143503904 CET581034973479.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:12.747900963 CET4973458103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:12.828243971 CET581034973479.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:13.435470104 CET4973458103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:13.512624979 CET581034973479.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:17.515353918 CET4973758103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:17.592787981 CET581034973779.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:18.138947964 CET4973758103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:18.218111992 CET581034973779.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:18.810132980 CET4973758103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:18.886920929 CET581034973779.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:23.099721909 CET4975058103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:23.148130894 CET581034975087.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:23.655040979 CET4975058103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:23.703653097 CET581034975087.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:24.217570066 CET4975058103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:24.266292095 CET581034975087.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:28.430910110 CET4975358103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:28.479902983 CET581034975387.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:29.030546904 CET4975358103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:29.081515074 CET581034975387.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:29.602902889 CET4975358103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:29.656091928 CET581034975387.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:33.783016920 CET4975458103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:33.831398964 CET581034975487.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:34.343411922 CET4975458103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:34.391799927 CET581034975487.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:34.906061888 CET4975458103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:34.957196951 CET581034975487.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:38.970818996 CET4975558103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:39.052138090 CET581034975579.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:39.562731028 CET4975558103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:39.642889977 CET581034975579.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:40.156390905 CET4975558103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:40.237574100 CET581034975579.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:44.253082037 CET4975658103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:44.330132961 CET581034975679.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:44.844403982 CET4975658103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:44.923239946 CET581034975679.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:45.438157082 CET4975658103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:45.515690088 CET581034975679.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:49.533921003 CET4976058103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:49.613707066 CET581034976079.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:50.126089096 CET4976058103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:50.203037977 CET581034976079.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:50.708053112 CET4976058103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:18:50.788264036 CET581034976079.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:18:54.901932001 CET4976158103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:54.953493118 CET581034976187.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:55.454627037 CET4976158103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:55.502931118 CET581034976187.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:18:56.017488003 CET4976158103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:18:56.066579103 CET581034976187.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:19:00.350300074 CET4976258103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:19:00.398675919 CET581034976287.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:19:00.970395088 CET4976258103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:19:01.021527052 CET581034976287.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:19:01.565815926 CET4976258103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:19:01.614341021 CET581034976287.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:19:05.837376118 CET4976558103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:19:05.886914968 CET581034976587.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:19:06.396033049 CET4976558103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:19:06.444776058 CET581034976587.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:19:06.960246086 CET4976558103192.168.2.687.237.165.78
                                                                                  Feb 23, 2021 17:19:07.011647940 CET581034976587.237.165.78192.168.2.6
                                                                                  Feb 23, 2021 17:19:11.158442974 CET4976658103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:19:11.239665031 CET581034976679.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:19:11.745487928 CET4976658103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:19:11.825278044 CET581034976679.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:19:12.339214087 CET4976658103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:19:12.419230938 CET581034976679.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:19:16.531472921 CET4976758103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:19:16.608556032 CET581034976779.134.225.43192.168.2.6
                                                                                  Feb 23, 2021 17:19:17.120801926 CET4976758103192.168.2.679.134.225.43
                                                                                  Feb 23, 2021 17:19:17.199274063 CET581034976779.134.225.43192.168.2.6

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Feb 23, 2021 17:17:09.184077024 CET53545138.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:10.261516094 CET6204453192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:10.318402052 CET53620448.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:10.698014975 CET6379153192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:10.764590025 CET53637918.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:11.418453932 CET6426753192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:11.477303028 CET53642678.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:12.567426920 CET4944853192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:12.618798971 CET53494488.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:13.725222111 CET6034253192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:13.776582956 CET53603428.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:15.202279091 CET6134653192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:15.250933886 CET53613468.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:16.409442902 CET5177453192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:16.458087921 CET53517748.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:17.203763962 CET5602353192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:17.252573013 CET53560238.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:18.513149977 CET5838453192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:18.564690113 CET53583848.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:21.420331001 CET6026153192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:21.473280907 CET53602618.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:22.546210051 CET5606153192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:22.594912052 CET53560618.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:23.544114113 CET5833653192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:23.597176075 CET53583368.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:24.718357086 CET5378153192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:24.771702051 CET53537818.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:25.781019926 CET5406453192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:25.831368923 CET53540648.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:26.665043116 CET5281153192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:26.713695049 CET53528118.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:28.045661926 CET5529953192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:28.105572939 CET53552998.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:29.242130041 CET6374553192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:29.292561054 CET53637458.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:30.302110910 CET5005553192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:30.353559971 CET53500558.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:45.749149084 CET6137453192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:45.803076982 CET53613748.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:49.724088907 CET5033953192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:49.785586119 CET53503398.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:17:56.046478987 CET6330753192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:17:56.108705044 CET53633078.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:01.465342045 CET4969453192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:01.531475067 CET53496948.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:04.277283907 CET5498253192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:04.327717066 CET53549828.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:05.928406000 CET5001053192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:06.000159979 CET53500108.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:16.739250898 CET6371853192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:16.822832108 CET53637188.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:17.364798069 CET6211653192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:17.422219038 CET53621168.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:18.057244062 CET6381653192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:18.072122097 CET5501453192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:18.116528034 CET53638168.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:18.131342888 CET53550148.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:18.182094097 CET6220853192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:18.250031948 CET53622088.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:18.626137972 CET5757453192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:18.686405897 CET53575748.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:19.258896112 CET5181853192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:19.342488050 CET53518188.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:19.996468067 CET5662853192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:20.056597948 CET53566288.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:20.854536057 CET6077853192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:20.913292885 CET53607788.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:22.093715906 CET5379953192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:22.142374039 CET53537998.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:23.032670975 CET5468353192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:23.097532034 CET53546838.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:23.788300991 CET5932953192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:23.845614910 CET53593298.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:24.421181917 CET6402153192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:24.478604078 CET53640218.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:28.319880962 CET5612953192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:28.378196001 CET53561298.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:33.718417883 CET5817753192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:33.780843973 CET53581778.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:48.620522022 CET5070053192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:48.695178986 CET53507008.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:18:54.838036060 CET5406953192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:18:54.900182009 CET53540698.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:19:00.232599974 CET6117853192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:19:00.292726040 CET53611788.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:19:01.121434927 CET5701753192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:19:01.172938108 CET53570178.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:19:02.884172916 CET5632753192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:19:02.941157103 CET53563278.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:19:05.774005890 CET5024353192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:19:05.835586071 CET53502438.8.8.8192.168.2.6
                                                                                  Feb 23, 2021 17:19:27.155184031 CET6205553192.168.2.68.8.8.8
                                                                                  Feb 23, 2021 17:19:27.215336084 CET53620558.8.8.8192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Feb 23, 2021 17:17:49.724088907 CET192.168.2.68.8.8.80x8ddaStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:17:56.046478987 CET192.168.2.68.8.8.80x7f93Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:18:01.465342045 CET192.168.2.68.8.8.80x5766Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:18:23.032670975 CET192.168.2.68.8.8.80xcdaaStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:18:28.319880962 CET192.168.2.68.8.8.80xf0Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:18:33.718417883 CET192.168.2.68.8.8.80x8db7Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:18:54.838036060 CET192.168.2.68.8.8.80xe570Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:19:00.232599974 CET192.168.2.68.8.8.80xb91eStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:19:05.774005890 CET192.168.2.68.8.8.80xd6c9Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:19:27.155184031 CET192.168.2.68.8.8.80x9f73Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Feb 23, 2021 17:17:49.785586119 CET8.8.8.8192.168.2.60x8ddaNo error (0)strongodss.ddns.net87.237.165.78A (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:17:56.108705044 CET8.8.8.8192.168.2.60x7f93No error (0)strongodss.ddns.net87.237.165.78A (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:18:01.531475067 CET8.8.8.8192.168.2.60x5766No error (0)strongodss.ddns.net87.237.165.78A (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:18:23.097532034 CET8.8.8.8192.168.2.60xcdaaNo error (0)strongodss.ddns.net87.237.165.78A (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:18:28.378196001 CET8.8.8.8192.168.2.60xf0No error (0)strongodss.ddns.net87.237.165.78A (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:18:33.780843973 CET8.8.8.8192.168.2.60x8db7No error (0)strongodss.ddns.net87.237.165.78A (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:18:54.900182009 CET8.8.8.8192.168.2.60xe570No error (0)strongodss.ddns.net87.237.165.78A (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:19:00.292726040 CET8.8.8.8192.168.2.60xb91eNo error (0)strongodss.ddns.net87.237.165.78A (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:19:05.835586071 CET8.8.8.8192.168.2.60xd6c9No error (0)strongodss.ddns.net87.237.165.78A (IP address)IN (0x0001)
                                                                                  Feb 23, 2021 17:19:27.215336084 CET8.8.8.8192.168.2.60x9f73No error (0)strongodss.ddns.net87.237.165.78A (IP address)IN (0x0001)

                                                                                  Code Manipulations

                                                                                  Statistics

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Start time:17:17:16
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Users\user\Desktop\TdX45jQWjj.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\Desktop\TdX45jQWjj.exe'
                                                                                  Imagebase:0xa50000
                                                                                  File size:724480 bytes
                                                                                  MD5 hash:F261164B55C3BE5C3C86150FF2A7CC27
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  Reputation:low

                                                                                  General

                                                                                  Start time:17:17:43
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp'
                                                                                  Imagebase:0x120000
                                                                                  File size:185856 bytes
                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Start time:17:17:44
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff61de10000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Start time:17:17:44
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:{path}
                                                                                  Imagebase:0x8d0000
                                                                                  File size:32768 bytes
                                                                                  MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  Reputation:moderate

                                                                                  General

                                                                                  Start time:17:17:46
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp'
                                                                                  Imagebase:0x120000
                                                                                  File size:185856 bytes
                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Start time:17:17:46
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff61de10000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Start time:17:17:46
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp'
                                                                                  Imagebase:0x120000
                                                                                  File size:185856 bytes
                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Start time:17:17:47
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff61de10000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Start time:17:17:48
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
                                                                                  Imagebase:0x90000
                                                                                  File size:32768 bytes
                                                                                  MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Reputation:moderate

                                                                                  General

                                                                                  Start time:17:17:48
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff61de10000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Start time:17:17:48
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                                  Imagebase:0x7a0000
                                                                                  File size:32768 bytes
                                                                                  MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Antivirus matches:
                                                                                  • Detection: 0%, Metadefender, Browse
                                                                                  • Detection: 0%, ReversingLabs
                                                                                  Reputation:moderate

                                                                                  General

                                                                                  Start time:17:17:48
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff61de10000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Start time:17:17:55
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                                  Imagebase:0x790000
                                                                                  File size:32768 bytes
                                                                                  MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Reputation:moderate

                                                                                  General

                                                                                  Start time:17:17:56
                                                                                  Start date:23/02/2021
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff61de10000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Reset < >