Loading ...

Play interactive tourEdit tour

Analysis Report PO_6620200947535257662_Arabico.PDF.exe

Overview

General Information

Sample Name:PO_6620200947535257662_Arabico.PDF.exe
Analysis ID:382596
MD5:b737570f9e9a1bdd794f78e3906e61b9
SHA1:0dd10acab603b2f1269d05534902b09d38e31ac5
SHA256:0a3a85fd6964b0cf1b61e41cc7c117ada4c8607a0107ad4921dafa69933ef0ac
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Startup

  • System is w10x64
  • PO_6620200947535257662_Arabico.PDF.exe (PID: 6408 cmdline: 'C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe' MD5: B737570F9E9A1BDD794F78E3906E61B9)
    • cmd.exe (PID: 6780 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 6816 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • gvvccsccefghhsnd.exe (PID: 6824 cmdline: 'C:\Users\user\gvvccsccefghhsnd.exe' MD5: B737570F9E9A1BDD794F78E3906E61B9)
      • InstallUtil.exe (PID: 5596 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "883c2226-d991-4f34-8646-4dd2732a", "Group": "", "Domain1": "185.157.161.86", "Domain2": "nanopc.linkpc.net", "Port": 50005, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    Click to see the 29 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 104 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "883c2226-d991-4f34-8646-4dd2732a", "Group": "", "Domain1": "185.157.161.86", "Domain2": "nanopc.linkpc.net", "Port": 50005, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exeMetadefender: Detection: 13%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exeReversingLabs: Detection: 25%
      Source: C:\Users\user\gvvccsccefghhsnd.exeReversingLabs: Detection: 20%
      Multi AV Scanner detection for submitted fileShow sources
      Source: PO_6620200947535257662_Arabico.PDF.exeReversingLabs: Detection: 20%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\gvvccsccefghhsnd.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: PO_6620200947535257662_Arabico.PDF.exeJoe Sandbox ML: detected
      Source: 28.2.InstallUtil.exe.5970000.9.unpackAvira: Label: TR/NanoCore.fadte
      Source: 28.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: PO_6620200947535257662_Arabico.PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: PO_6620200947535257662_Arabico.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000001C.00000002.601725662.0000000000C82000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then jmp 04B96611h
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then push dword ptr [ebp-24h]
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then jmp 04B96611h
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then push dword ptr [ebp-24h]
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then xor edx, edx
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then xor edx, edx
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then push dword ptr [ebp-20h]
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then push dword ptr [ebp-20h]
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then push dword ptr [ebp-24h]
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then jmp 04D56611h
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then push dword ptr [ebp-24h]
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then jmp 04D56611h
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then xor edx, edx
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then xor edx, edx
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then push dword ptr [ebp-20h]
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then push dword ptr [ebp-20h]
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then jmp 06602717h
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then jmp 06602717h
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then jmp 06603C35h
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then jmp 06603C35h

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: nanopc.linkpc.net
      Source: Malware configuration extractorURLs: 185.157.161.86
      Source: global trafficTCP traffic: 192.168.2.6:49754 -> 185.157.161.86:50005
      Source: Joe Sandbox ViewIP Address: 185.157.161.86 185.157.161.86
      Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
      Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.602922386.00000000009F5000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465739066.00000000026EE000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465799062.000000000271C000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465739066.00000000026EE000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465739066.00000000026EE000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.604420150.000000000275E000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465715365.00000000026C1000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.604361409.0000000002731000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465715365.00000000026C1000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.604361409.0000000002731000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465715365.00000000026C1000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.604361409.0000000002731000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
      Source: InstallUtil.exe, 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000002.610481587.0000000005780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.2.InstallUtil.exe.31d9708.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.2.InstallUtil.exe.5780000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      .NET source code contains very large array initializationsShow sources
      Source: PO_6620200947535257662_Arabico.PDF.exe, Dj7z/e1J0.csLarge array initialization: .cctor: array initializer size 2488
      Source: gvvccsccefghhsnd.exe.0.dr, Dj7z/e1J0.csLarge array initialization: .cctor: array initializer size 2488
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.240000.0.unpack, Dj7z/e1J0.csLarge array initialization: .cctor: array initializer size 2488
      Source: 0.0.PO_6620200947535257662_Arabico.PDF.exe.240000.0.unpack, Dj7z/e1J0.csLarge array initialization: .cctor: array initializer size 2488
      Source: 19.2.gvvccsccefghhsnd.exe.340000.0.unpack, Dj7z/e1J0.csLarge array initialization: .cctor: array initializer size 2488
      Source: 19.0.gvvccsccefghhsnd.exe.340000.0.unpack, Dj7z/e1J0.csLarge array initialization: .cctor: array initializer size 2488
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: PO_6620200947535257662_Arabico.PDF.exe
      Source: initial sampleStatic PE information: Filename: PO_6620200947535257662_Arabico.PDF.exe
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065D6E24 CreateProcessAsUserW,
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_002434F8
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_00D0E020
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_00D0AF40
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_00D0BC30
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_04B93498
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_04B94218
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_04B95D98
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_04B9C5A8
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_04B9C598
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_04B96638
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_04B96628
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_04B9420E
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_04B90340
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_04B97870
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_04B9CB58
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_04B9CB4A
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_003434F8
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_0255E020
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_0255A990
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_0255AF40
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_0255BFE0
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_0255A358
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_0255BC30
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_04D504A0
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_04D54218
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_04D55D98
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_04D5C598
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_04D5C5A8
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_04D56638
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_04D56628
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_04D54208
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_04D5CB58
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_04D5CB4A
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065D6558
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065D7D0F
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065DD258
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065D7218
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065DB22A
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065DAB02
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065D9038
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065DDC78
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065DDC0F
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065DC4B0
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065DC4A0
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065D6548
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065D4B78
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065D4B68
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065DE8E8
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065DC918
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065DC928
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_06600C60
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_06600040
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_06600006
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 28_2_00C820B0
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 28_2_0302E471
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 28_2_0302E480
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 28_2_0302BBD4
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 28_2_0564F5F8
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 28_2_05649788
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 28_2_05643550
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 28_2_0564A610
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
      Source: PO_6620200947535257662_Arabico.PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: gvvccsccefghhsnd.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000000.336475419.0000000000301000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemcntyre.exeH vs PO_6620200947535257662_Arabico.PDF.exe
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465913401.00000000027FE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs PO_6620200947535257662_Arabico.PDF.exe
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470839679.0000000006390000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs PO_6620200947535257662_Arabico.PDF.exe
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470947040.0000000006420000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO_6620200947535257662_Arabico.PDF.exe
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470947040.0000000006420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO_6620200947535257662_Arabico.PDF.exe
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.472908360.0000000006FF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO_6620200947535257662_Arabico.PDF.exe
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470185755.0000000005700000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO_6620200947535257662_Arabico.PDF.exe
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470532416.0000000006070000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO_6620200947535257662_Arabico.PDF.exe
      Source: PO_6620200947535257662_Arabico.PDF.exeBinary or memory string: OriginalFilenamemcntyre.exeH vs PO_6620200947535257662_Arabico.PDF.exe
      Source: PO_6620200947535257662_Arabico.PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,'
      Source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000002.610481587.0000000005780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001C.00000002.610481587.0000000005780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.2.InstallUtil.exe.31d9708.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.2.InstallUtil.exe.5780000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 28.2.InstallUtil.exe.5780000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@10/7@0/1
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile created: C:\Users\user\gvvccsccefghhsnd.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{883c2226-d991-4f34-8646-4dd2732a341c}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_01
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
      Source: PO_6620200947535257662_Arabico.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\gvvccsccefghhsnd.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\gvvccsccefghhsnd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\gvvccsccefghhsnd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\gvvccsccefghhsnd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: PO_6620200947535257662_Arabico.PDF.exeReversingLabs: Detection: 20%
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile read: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe 'C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe'
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,'
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess created: C:\Users\user\gvvccsccefghhsnd.exe 'C:\Users\user\gvvccsccefghhsnd.exe'
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,'
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess created: C:\Users\user\gvvccsccefghhsnd.exe 'C:\Users\user\gvvccsccefghhsnd.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,'
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: PO_6620200947535257662_Arabico.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: PO_6620200947535257662_Arabico.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000001C.00000002.601725662.0000000000C82000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: ghfvjjtjhhjghdgghrba.exe.19.drStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_0024333E push cs; retf
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_00243381 push cs; retf
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 0_2_0024277B push edi; iretd
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_0034333E push cs; retf
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_00343381 push cs; retf
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_0034277B push edi; iretd
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_04D55950 push es; retf
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 19_2_065D4B21 pushfd ; retf
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 28_2_0564B5E0 push eax; retf
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 28_2_056469F8 pushad ; retf
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 28_2_056469FA push esp; retf
      Source: ghfvjjtjhhjghdgghrba.exe.19.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
      Source: ghfvjjtjhhjghdgghrba.exe.19.dr, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
      Source: ghfvjjtjhhjghdgghrba.exe.19.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
      Source: ghfvjjtjhhjghdgghrba.exe.19.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
      Source: ghfvjjtjhhjghdgghrba.exe.19.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
      Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile created: C:\Users\user\gvvccsccefghhsnd.exeJump to dropped file
      Source: C:\Users\user\gvvccsccefghhsnd.exeFile created: C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exeJump to dropped file
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile created: C:\Users\user\gvvccsccefghhsnd.exeJump to dropped file

      Boot Survival:

      barindex
      Creates an undocumented autostart registry key Show sources
      Source: C:\Windows\SysWOW64\reg.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
      Drops PE files to the user root directoryShow sources
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile created: C:\Users\user\gvvccsccefghhsnd.exeJump to dropped file

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeFile opened: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe\:Zone.Identifier read attributes | delete
      Source: C:\Users\user\gvvccsccefghhsnd.exeFile opened: C:\Users\user\gvvccsccefghhsnd.exe\:Zone.Identifier read attributes | delete
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: pdf.exeStatic PE information: PO_6620200947535257662_Arabico.PDF.exe
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\gvvccsccefghhsnd.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\gvvccsccefghhsnd.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeWindow / User API: threadDelayed 496
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeWindow / User API: threadDelayed 9288
      Source: C:\Users\user\gvvccsccefghhsnd.exeWindow / User API: threadDelayed 361
      Source: C:\Users\user\gvvccsccefghhsnd.exeWindow / User API: threadDelayed 9441
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 1877
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 7713
      Source: C:\Users\user\gvvccsccefghhsnd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exeJump to dropped file
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe TID: 6592Thread sleep time: -9223372036854770s >= -30000s
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe TID: 6668Thread sleep count: 496 > 30
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe TID: 6668Thread sleep count: 9288 > 30
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe TID: 6592Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\gvvccsccefghhsnd.exe TID: 5904Thread sleep time: -11068046444225724s >= -30000s
      Source: C:\Users\user\gvvccsccefghhsnd.exe TID: 5700Thread sleep count: 361 > 30
      Source: C:\Users\user\gvvccsccefghhsnd.exe TID: 5700Thread sleep count: 9441 > 30
      Source: C:\Users\user\gvvccsccefghhsnd.exe TID: 5904Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\gvvccsccefghhsnd.exe TID: 5904Thread sleep count: 41 > 30
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5960Thread sleep time: -20291418481080494s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeThread delayed: delay time: 30000
      Source: C:\Users\user\gvvccsccefghhsnd.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\gvvccsccefghhsnd.exeThread delayed: delay time: 30000
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.471113156.0000000006634000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:!
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.614103031.00000000061CF000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470185755.0000000005700000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.374539474.0000000003A00000.00000002.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.613605348.0000000005770000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470185755.0000000005700000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.374539474.0000000003A00000.00000002.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.613605348.0000000005770000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470185755.0000000005700000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.374539474.0000000003A00000.00000002.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.613605348.0000000005770000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.602922386.00000000009F5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
      Source: InstallUtil.exe, 0000001C.00000002.602877999.00000000012A4000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470185755.0000000005700000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.374539474.0000000003A00000.00000002.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.613605348.0000000005770000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess token adjusted: Debug
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\gvvccsccefghhsnd.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\gvvccsccefghhsnd.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\gvvccsccefghhsnd.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
      Source: C:\Users\user\gvvccsccefghhsnd.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
      Source: C:\Users\user\gvvccsccefghhsnd.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000
      Source: C:\Users\user\gvvccsccefghhsnd.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000
      Source: C:\Users\user\gvvccsccefghhsnd.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: EA4008
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,'
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeProcess created: C:\Users\user\gvvccsccefghhsnd.exe 'C:\Users\user\gvvccsccefghhsnd.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,'
      Source: C:\Users\user\gvvccsccefghhsnd.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
      Source: InstallUtil.exe, 0000001C.00000002.605205180.00000000032A8000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.603925047.00000000010C0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001C.00000002.603679432.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.603925047.00000000010C0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001C.00000002.603679432.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.603925047.00000000010C0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001C.00000002.603679432.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
      Source: InstallUtil.exe, 0000001C.00000002.604626929.00000000031D2000.00000004.00000001.sdmpBinary or memory string: Program Managerx
      Source: InstallUtil.exe, 0000001C.00000002.604626929.00000000031D2000.00000004.00000001.sdmpBinary or memory string: Program Manager`n
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.603925047.00000000010C0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001C.00000002.603679432.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeQueries volume information: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe VolumeInformation
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
      Source: C:\Users\user\gvvccsccefghhsnd.exeQueries volume information: C:\Users\user\gvvccsccefghhsnd.exe VolumeInformation
      Source: C:\Users\user\gvvccsccefghhsnd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\gvvccsccefghhsnd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\gvvccsccefghhsnd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Users\user\gvvccsccefghhsnd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Users\user\gvvccsccefghhsnd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Users\user\gvvccsccefghhsnd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\gvvccsccefghhsnd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\gvvccsccefghhsnd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: gvvccsccefghhsnd.exe, 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: InstallUtil.exe, 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: InstallUtil.exe, 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1Windows Management InstrumentationValid Accounts1Valid Accounts1Disable or Modify Tools1Input Capture11File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder1Access Token Manipulation1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery12Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection312Obfuscated Files or Information12Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing11NTDSSecurity Software Discovery111Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading211Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobModify Registry1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Virtualization/Sandbox Evasion31Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection312Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
      Compromise Software Supply ChainUnix ShellLaunchdLaunchdHidden Files and Directories1KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 382596 Sample: PO_6620200947535257662_Arab... Startdate: 06/04/2021 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 10 other signatures 2->46 7 PO_6620200947535257662_Arabico.PDF.exe 15 7 2->7         started        process3 file4 28 C:\Users\user\gvvccsccefghhsnd.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->30 dropped 32 C:\...\gvvccsccefghhsnd.exe:Zone.Identifier, ASCII 7->32 dropped 34 PO_662020094753525...Arabico.PDF.exe.log, ASCII 7->34 dropped 50 Drops PE files to the user root directory 7->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->52 11 gvvccsccefghhsnd.exe 14 5 7->11         started        15 cmd.exe 1 7->15         started        signatures5 process6 file7 36 C:\Users\user\...\ghfvjjtjhhjghdgghrba.exe, PE32 11->36 dropped 54 Multi AV Scanner detection for dropped file 11->54 56 Machine Learning detection for dropped file 11->56 58 Writes to foreign memory regions 11->58 60 3 other signatures 11->60 17 InstallUtil.exe 6 11->17         started        21 reg.exe 1 1 15->21         started        24 conhost.exe 15->24         started        signatures8 process9 dnsIp10 38 185.157.161.86, 50005 OBE-EUROPEObenetworkEuropeSE Sweden 17->38 26 C:\Users\user\AppData\Roaming\...\run.dat, data 17->26 dropped 48 Creates an undocumented autostart registry key 21->48 file11 signatures12

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      PO_6620200947535257662_Arabico.PDF.exe21%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
      PO_6620200947535257662_Arabico.PDF.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\gvvccsccefghhsnd.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exe14%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exe26%ReversingLabsWin32.Trojan.Ymacco
      C:\Users\user\gvvccsccefghhsnd.exe21%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      28.2.InstallUtil.exe.5970000.9.unpack100%AviraTR/NanoCore.fadteDownload File
      28.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
      http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
      https://pki.goog/repository/00%URL Reputationsafe
      https://pki.goog/repository/00%URL Reputationsafe
      https://pki.goog/repository/00%URL Reputationsafe
      185.157.161.860%Avira URL Cloudsafe
      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
      http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      nanopc.linkpc.netfalse
        high
        185.157.161.86true
        • Avira URL Cloud: safe
        unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://pki.goog/gsr2/GTS1O1.crt0PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465739066.00000000026EE000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://crl.pki.goog/gsr2/gsr2.crl0?gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        https://pki.goog/repository/0gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465715365.00000000026C1000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.604361409.0000000002731000.00000004.00000001.sdmpfalse
          high
          http://schema.org/WebPagegvvccsccefghhsnd.exe, 00000013.00000002.604420150.000000000275E000.00000004.00000001.sdmpfalse
            high
            http://crl.pki.goog/GTS1O1core.crl0PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465739066.00000000026EE000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            185.157.161.86
            unknownSweden
            197595OBE-EUROPEObenetworkEuropeSEtrue

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:382596
            Start date:06.04.2021
            Start time:10:35:12
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 11m 27s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:PO_6620200947535257662_Arabico.PDF.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:29
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@10/7@0/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 0.2% (good quality ratio 0.1%)
            • Quality average: 22.7%
            • Quality standard deviation: 26.4%
            HCA Information:
            • Successful, ratio: 99%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 52.255.188.83, 131.253.33.200, 13.107.22.200, 13.64.90.137, 93.184.221.240, 92.122.145.220, 216.58.207.164, 204.79.197.200, 13.107.21.200, 104.43.139.144, 20.82.209.183, 92.122.213.194, 92.122.213.247, 104.42.151.234, 52.155.217.156, 2.20.142.210, 2.20.142.209, 20.54.26.129, 20.50.102.62, 184.30.24.56, 13.88.21.125
            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, cs11.wpc.v0cdn.net, audownload.windowsupdate.nsatc.net, hlb.apr-52dd2-0.edgecastdns.net, www.google.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/382596/sample/PO_6620200947535257662_Arabico.PDF.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            10:36:25API Interceptor227x Sleep call for process: PO_6620200947535257662_Arabico.PDF.exe modified
            10:37:23API Interceptor188x Sleep call for process: gvvccsccefghhsnd.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            185.157.161.86CN-Invoice-XXXXX9808-19011143287998.exeGet hashmaliciousBrowse
              CN-Invoice-XXXXX9808-19011143287994.exeGet hashmaliciousBrowse
                CN-Invoice-XXXXX9808-19011143287993.exeGet hashmaliciousBrowse
                  CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                    CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                      Order_List_PO# 081929.exeGet hashmaliciousBrowse
                        order-1812896543124646450.exeGet hashmaliciousBrowse
                          order-181289654312464649.exeGet hashmaliciousBrowse
                            order-181289654312464648.exeGet hashmaliciousBrowse
                              Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                50404868-c352-422f-a608-7fd64b335eec.exeGet hashmaliciousBrowse
                                  74725794.pdf.exeGet hashmaliciousBrowse
                                    Order_List_PO# 0819289.exeGet hashmaliciousBrowse

                                      Domains

                                      No context

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      OBE-EUROPEObenetworkEuropeSEKUWAIT NATIONAL PETROLEUM COMPANY (KNPC).pdf.exeGet hashmaliciousBrowse
                                      • 45.148.16.46
                                      Order PONSB 04042021.pdf(939MB).exeGet hashmaliciousBrowse
                                      • 45.148.16.42
                                      Document.exeGet hashmaliciousBrowse
                                      • 193.187.90.38
                                      Swift Copy Against due Invoice.PDF.exeGet hashmaliciousBrowse
                                      • 45.148.16.42
                                      Ref150420190619A-B0270PEL. pdf.exeGet hashmaliciousBrowse
                                      • 45.148.16.42
                                      Attached pdf.exeGet hashmaliciousBrowse
                                      • 185.157.160.229
                                      DHL DELIVERY NOTE 2021003982721.exeGet hashmaliciousBrowse
                                      • 45.148.16.42
                                      file.exeGet hashmaliciousBrowse
                                      • 217.64.151.217
                                      0001.exeGet hashmaliciousBrowse
                                      • 185.86.106.202
                                      0001.exeGet hashmaliciousBrowse
                                      • 185.86.106.202
                                      PO_6620200947535257653_Arabico.PDF.exeGet hashmaliciousBrowse
                                      • 185.157.161.20
                                      Purchase Order.exeGet hashmaliciousBrowse
                                      • 185.157.161.113
                                      FedEx Tracking Details.exeGet hashmaliciousBrowse
                                      • 185.86.106.202
                                      HBL10909LIT266NR5272RBL2021PRD66178278_LAX2778.PDF.exeGet hashmaliciousBrowse
                                      • 194.32.146.143
                                      Purchase Order.exeGet hashmaliciousBrowse
                                      • 185.157.161.113
                                      Nuevo orden & Aliafor Documentos.exeGet hashmaliciousBrowse
                                      • 185.86.106.202
                                      Document.exeGet hashmaliciousBrowse
                                      • 217.64.151.237
                                      CN-Invoice-XXXXX9808-19011143287998.exeGet hashmaliciousBrowse
                                      • 185.157.161.20
                                      Document.exeGet hashmaliciousBrowse
                                      • 217.64.151.237
                                      Purchase Order.exeGet hashmaliciousBrowse
                                      • 185.157.161.113

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      C:\Users\user\AppData\Local\Temp\InstallUtil.exepayment notification.exeGet hashmaliciousBrowse
                                        Payment Notification.exeGet hashmaliciousBrowse
                                          s.exeGet hashmaliciousBrowse
                                            MV.exeGet hashmaliciousBrowse
                                              e.exeGet hashmaliciousBrowse
                                                SL_PO8192.PDF.exeGet hashmaliciousBrowse
                                                  QUOTATIONs#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exeGet hashmaliciousBrowse
                                                    RFQ9088QTY.exeGet hashmaliciousBrowse
                                                      NEWQUOTATION#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exeGet hashmaliciousBrowse
                                                        OUTSTANDING PAYMENT,PDF.exeGet hashmaliciousBrowse
                                                          New Order 567w43.exeGet hashmaliciousBrowse
                                                            SRESTKM-series.exeGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Trojan.Siggen12.56637.29917.exeGet hashmaliciousBrowse
                                                                VITR000413774..exeGet hashmaliciousBrowse
                                                                  Order 100955-21042021.exeGet hashmaliciousBrowse
                                                                    R ALHTQ19-P0401-940 GR2P5 TYPBLDG-NASE FERDAN Q0539 NE-Q22.exeGet hashmaliciousBrowse
                                                                      ORDER 100955-21042021.exeGet hashmaliciousBrowse
                                                                        DOCUMENT_395849584954.exeGet hashmaliciousBrowse
                                                                          Documents_00924930493030493.exeGet hashmaliciousBrowse
                                                                            All Details.exeGet hashmaliciousBrowse

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_6620200947535257662_Arabico.PDF.exe.log
                                                                              Process:C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:modified
                                                                              Size (bytes):1402
                                                                              Entropy (8bit):5.338819835253785
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4Ko84qpAE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKoesX3:MIHK5HKXE1qHbHKovmAHKzvRYHKhQnoe
                                                                              MD5:8273F0DD3A6F885D475E92688D9D7583
                                                                              SHA1:2DD9D780D4E2F2AD7B458F5A5722D36081F426C4
                                                                              SHA-256:D17626929C751206513FE9CF332754F45480CA9E262F746E86D38E6ADD16F8AB
                                                                              SHA-512:FB70A91B9B67C2A78D77EBD2B3F8E104664AC97AA4C487CCB90ED3A114A311B46DCD77052CEB184501CECE4A577D952CC479E0AF8F891CB44D2B2C70228C0A1E
                                                                              Malicious:true
                                                                              Reputation:low
                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                              C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                              Process:C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe
                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):41064
                                                                              Entropy (8bit):6.164873449128079
                                                                              Encrypted:false
                                                                              SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                              MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                              SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                              SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                              SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: payment notification.exe, Detection: malicious, Browse
                                                                              • Filename: Payment Notification.exe, Detection: malicious, Browse
                                                                              • Filename: s.exe, Detection: malicious, Browse
                                                                              • Filename: MV.exe, Detection: malicious, Browse
                                                                              • Filename: e.exe, Detection: malicious, Browse
                                                                              • Filename: SL_PO8192.PDF.exe, Detection: malicious, Browse
                                                                              • Filename: QUOTATIONs#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exe, Detection: malicious, Browse
                                                                              • Filename: RFQ9088QTY.exe, Detection: malicious, Browse
                                                                              • Filename: NEWQUOTATION#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exe, Detection: malicious, Browse
                                                                              • Filename: OUTSTANDING PAYMENT,PDF.exe, Detection: malicious, Browse
                                                                              • Filename: New Order 567w43.exe, Detection: malicious, Browse
                                                                              • Filename: SRESTKM-series.exe, Detection: malicious, Browse
                                                                              • Filename: SecuriteInfo.com.Trojan.Siggen12.56637.29917.exe, Detection: malicious, Browse
                                                                              • Filename: VITR000413774..exe, Detection: malicious, Browse
                                                                              • Filename: Order 100955-21042021.exe, Detection: malicious, Browse
                                                                              • Filename: R ALHTQ19-P0401-940 GR2P5 TYPBLDG-NASE FERDAN Q0539 NE-Q22.exe, Detection: malicious, Browse
                                                                              • Filename: ORDER 100955-21042021.exe, Detection: malicious, Browse
                                                                              • Filename: DOCUMENT_395849584954.exe, Detection: malicious, Browse
                                                                              • Filename: Documents_00924930493030493.exe, Detection: malicious, Browse
                                                                              • Filename: All Details.exe, Detection: malicious, Browse
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                              C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exe
                                                                              Process:C:\Users\user\gvvccsccefghhsnd.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):78336
                                                                              Entropy (8bit):4.369296705546591
                                                                              Encrypted:false
                                                                              SSDEEP:768:jlU4+MS3Fu0thSOV4GM0SuHk9Oh/1TRIWUk7NlfaNV9KQLxXXSv:l6o03IGMLuHk+Ck5lfaNP7xSv
                                                                              MD5:0E362E7005823D0BEC3719B902ED6D62
                                                                              SHA1:590D860B909804349E0CDC2F1662B37BD62F7463
                                                                              SHA-256:2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                                                                              SHA-512:518991B68496B3F8545E418CF9B345E0791E09CC20D177B8AA47E0ABA447AA55383C64F5BDACA39F2B061A5D08C16F2AD484AF8A9F238CA23AB081618FBA3AD3
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Metadefender, Detection: 14%, Browse
                                                                              • Antivirus: ReversingLabs, Detection: 26%
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y ................P..&...........D... ........@.. ....................................`..................................D..W....`..............................hD............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................D......H.......l....%......)....................................................0..6.......(8...t....&.(8...t....&......(8...t...................8;....8%.....(8...t....&.(8...t............:.....(8...t....:.....(8...t....:....(8...t....................................\:@....(8...t....&.)...&8.....(8...t....&(8...t....&.....:.......8x........:L...88....(8...t....&(8...t....&(8...t....&(8...t.....................:....8!.....(8...t....&......(8...t....&.....(8...t....:8.....(8...t....&.
                                                                              C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.txt
                                                                              Process:C:\Users\user\gvvccsccefghhsnd.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):49
                                                                              Entropy (8bit):4.279486946865809
                                                                              Encrypted:false
                                                                              SSDEEP:3:X8ONEE1Jn:MONEE1Jn
                                                                              MD5:C50B8CB81A83FE38A157C2B6099037A3
                                                                              SHA1:FC12D6A3FFE15AF1F556278A241A0E6C2C9B99FA
                                                                              SHA-256:F7A45394303B3F40F087D96F532DD3D980FAC1B235750420F816DF422B5EB65F
                                                                              SHA-512:9519F5FB1EFA2D201690772109ECEBF15DF1F4485D26AE547AE93A115C843D89FEA78B145C55C31405D5E0FFF27131EBBEDBEC490D0DE08740098AA2AC018A13
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview: 6824..C:\Users\user\gvvccsccefghhsnd.exe..0..
                                                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                              Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8
                                                                              Entropy (8bit):3.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:5Hsn:Zsn
                                                                              MD5:F9E71D3F4FE71AEA2CFFFD1007D5C98A
                                                                              SHA1:577D0D6A494CDB5DBE47D6ECD4917C05A3448604
                                                                              SHA-256:36B9796CEAD21232A868FD8644B236F4BB7775645263371280526609A8AF78AC
                                                                              SHA-512:9E3BD49F498FBAD737B0D712BDE57847D6457C29AB84989B9883CA71DD0026E38430C8B4D2F95878EBD8D2B386F86F5BE01DFED029DE1D6BAEEAA6322B1E724D
                                                                              Malicious:true
                                                                              Reputation:low
                                                                              Preview: d~.."..H
                                                                              C:\Users\user\gvvccsccefghhsnd.exe
                                                                              Process:C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):819712
                                                                              Entropy (8bit):6.584112685753224
                                                                              Encrypted:false
                                                                              SSDEEP:12288:uA1hpIV1Fn6OAVo1TCIV7B+AcieFXe7SIcNo5fqOedXJuL:pG65o12c7BWGSP4fqXK
                                                                              MD5:B737570F9E9A1BDD794F78E3906E61B9
                                                                              SHA1:0DD10ACAB603B2F1269D05534902B09D38E31AC5
                                                                              SHA-256:0A3A85FD6964B0CF1B61E41CC7C117ADA4C8607A0107AD4921DAFA69933EF0AC
                                                                              SHA-512:89FF7B15CE9C7D9B689C1C1A72DE630F3EC1DC2B3073818665DE0CB73C879D85ED853F0352BD6DBA93ED14D0674BE95DC726183B1D5218BE2BBA8F488057C446
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 21%
                                                                              Reputation:low
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.(................................. ........@.. ....................................`.................................@...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H.......<M...m......,....L..............................................Y.......E9......GP*...z....F..l..c.bZ.+$O\......a.CB...0...)Xq.@.^.r.s.....v.S.y.s)..Y..bfC.%%.C.....0.C...i.\D.z.G@Jh.L..0gj.....b...CZQ.]. ...............nF..........i..+6z1....C.....u6.x9.t....~...|.z./l..._.Q.....1x2.n.>...(..x{(].d7gNaVb..0#...u.$.`..h)W.....J(...........P...V@.d..>.f......m..p...........J.ex....}..r.....d.......[.mYZ..[)]k&...Lh.-.uf.. ..o._F....Vc.>jh..g}...+.
                                                                              C:\Users\user\gvvccsccefghhsnd.exe:Zone.Identifier
                                                                              Process:C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):26
                                                                              Entropy (8bit):3.95006375643621
                                                                              Encrypted:false
                                                                              SSDEEP:3:ggPYV:rPYV
                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                              Malicious:true
                                                                              Preview: [ZoneTransfer]....ZoneId=0

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):6.584112685753224
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                              File name:PO_6620200947535257662_Arabico.PDF.exe
                                                                              File size:819712
                                                                              MD5:b737570f9e9a1bdd794f78e3906e61b9
                                                                              SHA1:0dd10acab603b2f1269d05534902b09d38e31ac5
                                                                              SHA256:0a3a85fd6964b0cf1b61e41cc7c117ada4c8607a0107ad4921dafa69933ef0ac
                                                                              SHA512:89ff7b15ce9c7d9b689c1c1a72de630f3ec1dc2b3073818665de0cb73c879d85ed853f0352bd6dba93ed14d0674be95dc726183b1d5218be2bba8f488057c446
                                                                              SSDEEP:12288:uA1hpIV1Fn6OAVo1TCIV7B+AcieFXe7SIcNo5fqOedXJuL:pG65o12c7BWGSP4fqXK
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.(................................. ........@.. ....................................`................................

                                                                              File Icon

                                                                              Icon Hash:c2d2cacad2dac2b5

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4aba8e
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                              Time Stamp:0x28EC4D1C [Fri Oct 4 11:14:36 1991 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:v4.0.30319
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xaba400x4b.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x1e1ba.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000xa9a940xa9c00False0.646130568851data6.66011560165IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xac0000x1e1ba0x1e200False0.31882942168data5.62921284867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0xcc0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_ICON0xac2500x4b17PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                              RT_ICON0xb0d680x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                              RT_ICON0xc15900x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                              RT_ICON0xc57b80x25a8data
                                                                              RT_ICON0xc7d600x10a8data
                                                                              RT_ICON0xc8e080x988data
                                                                              RT_ICON0xc97900x468GLS_BINARY_LSB_FIRST
                                                                              RT_GROUP_ICON0xc9bf80x68data
                                                                              RT_VERSION0xc9c600x370data
                                                                              RT_MANIFEST0xc9fd00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Version Infos

                                                                              DescriptionData
                                                                              Translation0x0000 0x04b0
                                                                              LegalCopyrightCopyright 1992 AFJJ37@>78:@HDI
                                                                              Assembly Version1.0.0.0
                                                                              InternalNamemcntyre.exe
                                                                              FileVersion1.2.2.2
                                                                              CompanyNameAFJJ37@>78:@HDI
                                                                              CommentsF57J8JB63IE655B2;:3
                                                                              ProductName96B<978J9;I>I72><3
                                                                              ProductVersion1.2.2.2
                                                                              FileDescription96B<978J9;I>I72><3
                                                                              OriginalFilenamemcntyre.exe

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              04/06/21-10:36:02.258188ICMP384ICMP PING192.168.2.693.184.221.240
                                                                              04/06/21-10:36:02.290439ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                                                              04/06/21-10:36:02.293339ICMP384ICMP PING192.168.2.693.184.221.240
                                                                              04/06/21-10:36:02.325672ICMP449ICMP Time-To-Live Exceeded in Transit5.56.20.161192.168.2.6
                                                                              04/06/21-10:36:02.326654ICMP384ICMP PING192.168.2.693.184.221.240
                                                                              04/06/21-10:36:02.364823ICMP449ICMP Time-To-Live Exceeded in Transit81.95.15.57192.168.2.6
                                                                              04/06/21-10:36:02.366540ICMP384ICMP PING192.168.2.693.184.221.240
                                                                              04/06/21-10:36:02.404984ICMP449ICMP Time-To-Live Exceeded in Transit152.195.101.202192.168.2.6
                                                                              04/06/21-10:36:02.406086ICMP384ICMP PING192.168.2.693.184.221.240
                                                                              04/06/21-10:36:02.444532ICMP449ICMP Time-To-Live Exceeded in Transit152.195.101.129192.168.2.6
                                                                              04/06/21-10:36:02.445016ICMP384ICMP PING192.168.2.693.184.221.240
                                                                              04/06/21-10:36:02.482920ICMP408ICMP Echo Reply93.184.221.240192.168.2.6

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Apr 6, 2021 10:38:01.661478996 CEST4975450005192.168.2.6185.157.161.86
                                                                              Apr 6, 2021 10:38:04.667439938 CEST4975450005192.168.2.6185.157.161.86
                                                                              Apr 6, 2021 10:38:10.667876959 CEST4975450005192.168.2.6185.157.161.86
                                                                              Apr 6, 2021 10:38:20.153971910 CEST4975650005192.168.2.6185.157.161.86

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Apr 6, 2021 10:35:59.397299051 CEST4928353192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:35:59.443243980 CEST53492838.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:35:59.517369986 CEST5837753192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:35:59.563328028 CEST53583778.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:00.804811954 CEST5507453192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:00.853636026 CEST53550748.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:02.191914082 CEST5451353192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:02.257329941 CEST53545138.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:02.711837053 CEST6204453192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:02.770776987 CEST53620448.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:09.553786039 CEST6379153192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:09.602634907 CEST53637918.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:09.999507904 CEST6426753192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:10.064980984 CEST53642678.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:10.082122087 CEST4944853192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:10.136673927 CEST53494488.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:26.339577913 CEST6034253192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:26.396933079 CEST53603428.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:27.212419987 CEST6134653192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:27.269778967 CEST53613468.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:32.991431952 CEST5177453192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:33.037364006 CEST53517748.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:36.954302073 CEST5602353192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:37.012487888 CEST53560238.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:45.596035004 CEST5838453192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:45.641974926 CEST53583848.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:46.486073017 CEST6026153192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:46.541996956 CEST53602618.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:48.242137909 CEST5606153192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:48.290954113 CEST53560618.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:49.800721884 CEST5833653192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:49.942778111 CEST53583368.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:50.392990112 CEST5378153192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:50.441786051 CEST53537818.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:50.506048918 CEST5406453192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:50.569228888 CEST53540648.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:51.103629112 CEST5281153192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:51.158143997 CEST53528118.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:51.644021034 CEST5529953192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:51.725781918 CEST6374553192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:51.728620052 CEST5005553192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:51.774887085 CEST53500558.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:51.783021927 CEST53637458.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:51.787916899 CEST53552998.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:51.880153894 CEST6137453192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:51.935127974 CEST53613748.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:52.171984911 CEST5033953192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:52.253487110 CEST53503398.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:52.340657949 CEST6330753192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:52.386590004 CEST53633078.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:52.925522089 CEST4969453192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:52.983159065 CEST53496948.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:53.452385902 CEST5498253192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:53.507927895 CEST53549828.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:55.018774986 CEST5001053192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:55.067365885 CEST53500108.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:56.314537048 CEST6371853192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:56.360495090 CEST53637188.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:36:56.813999891 CEST6211653192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:36:56.871093988 CEST53621168.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:07.923084974 CEST6381653192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:07.968991995 CEST53638168.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:08.062706947 CEST5501453192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:08.090409040 CEST6220853192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:08.127232075 CEST53550148.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:08.167853117 CEST53622088.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:08.515583992 CEST5757453192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:08.561724901 CEST53575748.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:08.577095985 CEST5181853192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:08.633795023 CEST53518188.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:11.131500006 CEST5662853192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:11.189194918 CEST53566288.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:23.345535994 CEST6077853192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:23.391628027 CEST53607788.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:33.386636019 CEST5379953192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:33.435512066 CEST53537998.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:35.820000887 CEST5468353192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:35.908873081 CEST53546838.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:42.182859898 CEST5932953192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:42.228646040 CEST53593298.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:43.043751001 CEST6402153192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:43.098184109 CEST53640218.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:45.124299049 CEST5612953192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:45.194892883 CEST53561298.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:46.069515944 CEST5817753192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:46.115487099 CEST53581778.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:53.475512981 CEST5070053192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:53.521442890 CEST53507008.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:54.615837097 CEST5406953192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:54.661771059 CEST53540698.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:37:59.579653025 CEST6117853192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:37:59.626425982 CEST53611788.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:38:01.148498058 CEST5701753192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:38:01.199031115 CEST53570178.8.8.8192.168.2.6
                                                                              Apr 6, 2021 10:38:05.286000013 CEST5632753192.168.2.68.8.8.8
                                                                              Apr 6, 2021 10:38:05.334856033 CEST53563278.8.8.8192.168.2.6

                                                                              Code Manipulations

                                                                              Statistics

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Start time:10:36:07
                                                                              Start date:06/04/2021
                                                                              Path:C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe'
                                                                              Imagebase:0x240000
                                                                              File size:819712 bytes
                                                                              MD5 hash:B737570F9E9A1BDD794F78E3906E61B9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, Author: Florian Roth
                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, Author: Florian Roth
                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              Reputation:low

                                                                              General

                                                                              Start time:10:36:22
                                                                              Start date:06/04/2021
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,'
                                                                              Imagebase:0x2a0000
                                                                              File size:232960 bytes
                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Start time:10:36:22
                                                                              Start date:06/04/2021
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff61de10000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Start time:10:36:23
                                                                              Start date:06/04/2021
                                                                              Path:C:\Windows\SysWOW64\reg.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,'
                                                                              Imagebase:0x10a0000
                                                                              File size:59392 bytes
                                                                              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Start time:10:37:05
                                                                              Start date:06/04/2021
                                                                              Path:C:\Users\user\gvvccsccefghhsnd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\gvvccsccefghhsnd.exe'
                                                                              Imagebase:0x340000
                                                                              File size:819712 bytes
                                                                              MD5 hash:B737570F9E9A1BDD794F78E3906E61B9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, Author: Florian Roth
                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, Author: Florian Roth
                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, Author: Florian Roth
                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 21%, ReversingLabs
                                                                              Reputation:low

                                                                              General

                                                                              Start time:10:37:55
                                                                              Start date:06/04/2021
                                                                              Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                              Imagebase:0xc80000
                                                                              File size:41064 bytes
                                                                              MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, Author: Florian Roth
                                                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, Author: Florian Roth
                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.610481587.0000000005780000.00000004.00000001.sdmp, Author: Florian Roth
                                                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000001C.00000002.610481587.0000000005780000.00000004.00000001.sdmp, Author: Florian Roth
                                                                              Antivirus matches:
                                                                              • Detection: 0%, Metadefender, Browse
                                                                              • Detection: 0%, ReversingLabs
                                                                              Reputation:moderate

                                                                              Disassembly

                                                                              Code Analysis

                                                                              Reset < >