Loading ...

Play interactive tourEdit tour

Analysis Report ANS_309487487_#049844874.exe

Overview

General Information

Sample Name:ANS_309487487_#049844874.exe
Analysis ID:383118
MD5:203109ad6d2efdca0bf52cab63a7ce6a
SHA1:471d5a99a2e8bfe03a9e119b327c45b6994ffaf6
SHA256:5e7e5b02d1de0da6b91520884a92af6f7597fd2e39ec5b714ba089815785ad74
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ANS_309487487_#049844874.exe (PID: 5688 cmdline: 'C:\Users\user\Desktop\ANS_309487487_#049844874.exe' MD5: 203109AD6D2EFDCA0BF52CAB63A7CE6A)
    • schtasks.exe (PID: 4012 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5404 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
      • schtasks.exe (PID: 4904 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6007.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4132 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6940.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 5400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5824 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6360 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "15fbba02-3f99-4e02-884c-0827498f", "Group": "1118", "Domain1": "myhustle.duckdns.org", "Domain2": "", "Port": 1118, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x8ba5:$x1: NanoCore.ClientPluginHost
  • 0x8bd2:$x2: IClientNetworkHost
00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x8ba5:$x2: NanoCore.ClientPluginHost
  • 0x9b74:$s2: FileCommand
  • 0xe576:$s4: PipeCreated
  • 0x8bbf:$s5: IClientLoggingHost
00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x13a8:$x1: NanoCore.ClientPluginHost
00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x13a8:$x2: NanoCore.ClientPluginHost
  • 0x1486:$s4: PipeCreated
  • 0x13c2:$s5: IClientLoggingHost
00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x59eb:$x1: NanoCore.ClientPluginHost
  • 0x5b48:$x2: IClientNetworkHost
Click to see the 43 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
4.2.RegSvcs.exe.6d80000.25.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b99:$x1: NanoCore.ClientPluginHost
  • 0x5bb3:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6d80000.25.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b99:$x2: NanoCore.ClientPluginHost
  • 0x6bce:$s4: PipeCreated
  • 0x5b86:$s5: IClientLoggingHost
4.2.RegSvcs.exe.64e0000.14.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
4.2.RegSvcs.exe.64e0000.14.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6df0000.30.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x41ee:$x1: NanoCore.ClientPluginHost
  • 0x422b:$x2: IClientNetworkHost
Click to see the 104 entries

Sigma Overview

System Summary:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5404, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
Sigma detected: Scheduled temp file as task from temp locationShow sources
Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ANS_309487487_#049844874.exe' , ParentImage: C:\Users\user\Desktop\ANS_309487487_#049844874.exe, ParentProcessId: 5688, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp', ProcessId: 4012

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "15fbba02-3f99-4e02-884c-0827498f", "Group": "1118", "Domain1": "myhustle.duckdns.org", "Domain2": "", "Port": 1118, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\zgEmPmIdAWvDGJ.exeReversingLabs: Detection: 37%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORY
Source: Yara matchFile source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPE
Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.RegSvcs.exe.6570000.15.unpackAvira: Label: TR/NanoCore.fadte
Source: ANS_309487487_#049844874.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: ANS_309487487_#049844874.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000004.00000003.250320525.00000000012C8000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.266011315.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000002.281116598.00000000002A2000.00000002.00020000.sdmp, dhcpmon.exe.4.dr
Source: Binary string: Svcs.pdbE source: RegSvcs.exe, 00000004.00000002.486523461.0000000001275000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb,h source: RegSvcs.exe, 00000004.00000002.486523461.0000000001275000.00000004.00000020.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: RegSvcs.exe, 00000004.00000003.303453473.0000000006798000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb^h/ source: RegSvcs.exe, 00000004.00000002.486523461.0000000001275000.00000004.00000020.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49709 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49715 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49719 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49720 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49722 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49723 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49726 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49735 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49736 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49738 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 185.140.53.9:1118
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49742 -> 185.140.53.9:1118
C2 URLs / IPs found in malware configurationShow sources
Source: Malware configuration extractorURLs:
Source: Malware configuration extractorURLs: myhustle.duckdns.org
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: myhustle.duckdns.org
Source: global trafficTCP traffic: 192.168.2.5:49709 -> 185.140.53.9:1118
Source: Joe Sandbox ViewIP Address: 185.140.53.9 185.140.53.9
Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
Source: unknownDNS traffic detected: queries for: myhustle.duckdns.org
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: ANS_309487487_#049844874.exe, 00000000.00000002.243313663.0000000001668000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: RegSvcs.exe, 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORY
Source: Yara matchFile source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.497316492.0000000006DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497195825.0000000006D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497368728.0000000006DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497254796.0000000006D80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.495352573.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.497240382.0000000006D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497299959.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.496076693.00000000064E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497154583.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497176371.0000000006D30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.6d80000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.64e0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6df0000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5810000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d40000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6df0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d70000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6cf0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6db0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5810000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6da0000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6da0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d60000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.2fcf924.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.6dbe8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d70000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d50000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6cf0000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d80000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.4223b75.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d40000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6db0000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d30000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6db4c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d20000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d30000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.4217941.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d60000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.4217941.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.42381a2.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.4223b75.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03195BD0
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03193158
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031999C1
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03195F78
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031975F0
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03191C98
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03197B20
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03191BDF
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03195BC2
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03190A50
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03190A42
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03197ABA
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03199AE2
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03196151
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_0319314A
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031921B8
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031969B8
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_0319280C
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03192828
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031978B8
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031910BA
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031978A8
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031910C8
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03190F00
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03195F68
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03193620
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03190699
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03190EF1
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031975DF
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03190C82
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E5CDB8
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E55C68
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E5D7C9
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E5F678
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E5B620
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E5B610
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E5B1E0
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E5C1DD
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E549B0
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E56928
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E598A0
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E5A320
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E5D248
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E5C208
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_07F30040
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_07F38F80
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_07F38F72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_02F8E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_02F8E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_02F8BBD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06920040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0692A200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069292B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06929EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06929F86
Source: ANS_309487487_#049844874.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zgEmPmIdAWvDGJ.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ANS_309487487_#049844874.exe, 00000000.00000002.246725643.000000000496C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameU~ vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.243313663.0000000001668000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.258053879.0000000010D80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257837403.000000000A5B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257022487.0000000007F10000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257022487.0000000007F10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.244600851.0000000003451000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exeBinary or memory string: OriginalFilenameU~ vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.497316492.0000000006DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497316492.0000000006DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497195825.0000000006D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497195825.0000000006D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497368728.0000000006DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497368728.0000000006DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497254796.0000000006D80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497254796.0000000006D80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.495352573.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.495352573.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.497240382.0000000006D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497240382.0000000006D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497299959.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497299959.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.496076693.00000000064E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.496076693.00000000064E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497154583.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497154583.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497176371.0000000006D30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497176371.0000000006D30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.6d80000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d80000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.64e0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.64e0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6df0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6df0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5810000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5810000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d40000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d40000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6df0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6df0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d70000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d70000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6cf0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6cf0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6db0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6db0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5810000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5810000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6da0000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6da0000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6da0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6da0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d60000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d60000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.2fcf924.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.6dbe8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6dbe8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d70000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d70000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d50000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d50000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6cf0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6cf0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d80000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d80000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4223b75.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.4223b75.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d40000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d40000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6db0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6db0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d30000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d30000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6db4c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6db4c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d20000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d20000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d30000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d30000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4217941.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.4217941.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d60000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d60000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4217941.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.42381a2.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.4223b75.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: ANS_309487487_#049844874.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: zgEmPmIdAWvDGJ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Source: classification engineClassification label: mal100.troj.evad.winEXE@17/14@16/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeFile created: C:\Users\user\AppData\Roaming\zgEmPmIdAWvDGJ.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5592:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{15fbba02-3f99-4e02-884c-0827498fae1d}
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeMutant created: \Sessions\1\BaseNamedObjects\mXqOXPexfwXu
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_01
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeFile created: C:\Users\user\AppData\Local\Temp\tmpDC3C.tmpJump to behavior
Source: ANS_309487487_#049844874.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeFile read: C:\Users\user\Desktop\ANS_309487487_#049844874.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ANS_309487487_#049844874.exe 'C:\Users\user\Desktop\ANS_309487487_#049844874.exe'
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6007.tmp'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6940.tmp'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp'
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6007.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6940.tmp'
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: ANS_309487487_#049844874.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ANS_309487487_#049844874.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000004.00000003.250320525.00000000012C8000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.266011315.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000002.281116598.00000000002A2000.00000002.00020000.sdmp, dhcpmon.exe.4.dr
Source: Binary string: Svcs.pdbE source: RegSvcs.exe, 00000004.00000002.486523461.0000000001275000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb,h source: RegSvcs.exe, 00000004.00000002.486523461.0000000001275000.00000004.00000020.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: RegSvcs.exe, 00000004.00000003.303453473.0000000006798000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb^h/ source: RegSvcs.exe, 00000004.00000002.486523461.0000000001275000.00000004.00000020.sdmp

Data Obfuscation:

barindex
.NET source code contains method to dynamically call methods (often used by packers)Show sources
Source: ANS_309487487_#049844874.exe, Imager/MainWindow.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: zgEmPmIdAWvDGJ.exe.0.dr, Imager/MainWindow.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 0.0.ANS_309487487_#049844874.exe.dc0000.0.unpack, Imager/MainWindow.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 0.2.ANS_309487487_#049844874.exe.dc0000.0.unpack, Imager/MainWindow.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
.NET source code contains potential unpackerShow sources
Source: ANS_309487487_#049844874.exe, Imager/MainWindow.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: zgEmPmIdAWvDGJ.exe.0.dr, Imager/MainWindow.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ANS_309487487_#049844874.exe.dc0000.0.unpack, Imager/MainWindow.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.ANS_309487487_#049844874.exe.dc0000.0.unpack, Imager/MainWindow.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_0319230D push cs; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_0319132E push ds; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03192325 push cs; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03191B25 push ss; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03191A4E push ss; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03191A7D push ss; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03191A63 push ss; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031912BE push ds; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031912D2 push ds; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031912E8 push ds; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_0319CE56 push FFFFFF8Bh; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03198E8A pushad ; ret
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03197ED0 push es; ret
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_03197EC6 push es; ret
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_0319851C pushad ; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_031914D2 push 0000001Ch; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_059385E9 push E801005Eh; retf
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_059300F0 push eax; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E5B782 push esp; ret
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_05E55AC2 pushfd ; iretd
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_07F3DE92 pushfd ; retf
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeCode function: 0_2_07F3DDF0 push esp; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0692E701 push eax; iretd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0692C770 pushad ; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0692D6F2 push es; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0692D6F6 push es; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0692D6FA push es; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0692D6FA push ds; iretd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0692D7B6 push ds; iretd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0692D7DD push ds; iretd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0692DA16 push ds; iretd
Source: initial sampleStatic PE information: section name: .text entropy: 7.9483521266
Source: initial sampleStatic PE information: section name: .text entropy: 7.9483521266
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeFile created: C:\Users\user\AppData\Roaming\zgEmPmIdAWvDGJ.exeJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3Show sources
Source: Yara matchFile source: Process Memory Space: ANS_309487487_#049844874.exe PID: 5688, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4413
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 811
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe TID: 5588Thread sleep time: -31500s >= -30000s
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe TID: 5764Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1140Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6444Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeThread delayed: delay time: 31500
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: RegSvcs.exe, 00000004.00000002.497511351.00000000071F0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.266480288.0000000005480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.269094971.0000000004960000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpBinary or memory string: vmware
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000004.00000002.497511351.00000000071F0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.266480288.0000000005480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.269094971.0000000004960000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000004.00000002.497511351.00000000071F0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.266480288.0000000005480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.269094971.0000000004960000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 00000004.00000002.496575693.0000000006700000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000004.00000002.497511351.00000000071F0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.266480288.0000000005480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.269094971.0000000004960000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F0E008
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp'
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6007.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6940.tmp'
Source: RegSvcs.exe, 00000004.00000002.489302829.000000000327A000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: RegSvcs.exe, 00000004.00000002.488166594.0000000001990000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000004.00000002.488166594.0000000001990000.00000002.00000001.sdmpBinary or memory string: Progman
Source: RegSvcs.exe, 00000004.00000002.488166594.0000000001990000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
Source: RegSvcs.exe, 00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$
Source: RegSvcs.exe, 00000004.00000002.497459855.0000000006F6D000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
Source: RegSvcs.exe, 00000004.00000002.490079641.00000000033E2000.00000004.00000001.sdmpBinary or memory string: Program Managerh!r
Source: RegSvcs.exe, 00000004.00000002.497029471.0000000006BAC000.00000004.00000001.sdmpBinary or memory string: Program Manager8
Source: RegSvcs.exe, 00000004.00000002.488166594.0000000001990000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
Source: RegSvcs.exe, 00000004.00000002.488166594.0000000001990000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: RegSvcs.exe, 00000004.00000002.488956229.00000000030D6000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Users\user\Desktop\ANS_309487487_#049844874.exe VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORY
Source: Yara matchFile source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: RegSvcs.exe, 00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORY
Source: Yara matchFile source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection212Masquerading2Input Capture21Security Software Discovery211Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing23Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383118 Sample: ANS_309487487_#049844874.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 11 other signatures 2->59 8 ANS_309487487_#049844874.exe 6 2->8         started        12 RegSvcs.exe 2 2->12         started        14 dhcpmon.exe 2 2->14         started        16 dhcpmon.exe 1 2->16         started        process3 file4 45 C:\Users\user\AppData\...\zgEmPmIdAWvDGJ.exe, PE32 8->45 dropped 47 C:\Users\user\AppData\Local\...\tmpDC3C.tmp, XML 8->47 dropped 63 Uses schtasks.exe or at.exe to add and modify task schedules 8->63 65 Writes to foreign memory regions 8->65 67 Injects a PE file into a foreign processes 8->67 18 RegSvcs.exe 1 12 8->18         started        23 schtasks.exe 1 8->23         started        25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 49 myhustle.duckdns.org 185.140.53.9, 1118, 49709, 49715 DAVID_CRAIGGG Sweden 18->49 51 192.168.2.1 unknown unknown 18->51 41 C:\Users\user\AppData\Roaming\...\run.dat, data 18->41 dropped 43 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->43 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->61 31 schtasks.exe 1 18->31         started        33 schtasks.exe 1 18->33         started        35 conhost.exe 23->35         started        file8 signatures9 process10 process11 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\zgEmPmIdAWvDGJ.exe38%ReversingLabsWin32.Trojan.AgentTesla

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
4.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
4.2.RegSvcs.exe.6570000.15.unpack100%AviraTR/NanoCore.fadteDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
myhustle.duckdns.org0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
myhustle.duckdns.org
185.140.53.9
truetrue
    unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    true
    • Avira URL Cloud: safe
    low
    myhustle.duckdns.orgtrue
    • Avira URL Cloud: safe
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.apache.org/licenses/LICENSE-2.0ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
      high
      http://www.fontbureau.comANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
        high
        http://www.fontbureau.com/designersGANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
          high
          http://www.fontbureau.com/designers/?ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
            high
            http://www.founder.com.cn/cn/bTheANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.fontbureau.com/designers?ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
              high
              http://www.tiro.comANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.fontbureau.com/designersANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                high
                http://www.goodfont.co.krANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.carterandcone.comlANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.sajatypeworks.comANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.typography.netDANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designers/cabarga.htmlNANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/cTheANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.galapagosdesign.com/staff/dennis.htmANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://fontfabrik.comANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.founder.com.cn/cnANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers/frere-jones.htmlANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                    high
                    http://www.jiyu-kobo.co.jp/ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.galapagosdesign.com/DPleaseANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers8ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                      high
                      http://www.fonts.comANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                        high
                        http://www.sandoll.co.krANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.urwpp.deDPleaseANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.zhongyicts.com.cnANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmpfalse
                          high
                          http://www.sakkal.comANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          185.140.53.9
                          myhustle.duckdns.orgSweden
                          209623DAVID_CRAIGGGtrue

                          Private

                          IP
                          192.168.2.1

                          General Information

                          Joe Sandbox Version:31.0.0 Emerald
                          Analysis ID:383118
                          Start date:07.04.2021
                          Start time:09:05:04
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 10m 33s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:ANS_309487487_#049844874.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:35
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@17/14@16/2
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 0.4% (good quality ratio 0.4%)
                          • Quality average: 100%
                          • Quality standard deviation: 0%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                          • TCP Packets have been reduced to 100
                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 104.42.151.234, 104.43.139.144, 95.100.54.203, 52.147.198.201, 13.64.90.137, 20.82.210.154, 23.10.249.26, 23.10.249.43, 20.54.26.129
                          • Excluded domains from analysis (whitelisted): www.bing.com, skypedataprdcolwus17.cloudapp.net, cs9.wac.phicdn.net, fs.microsoft.com, arc.msn.com.nsatc.net, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/383118/sample/ANS_309487487_#049844874.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          09:05:57API Interceptor2x Sleep call for process: ANS_309487487_#049844874.exe modified
                          09:06:10Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" s>$(Arg0)
                          09:06:10API Interceptor883x Sleep call for process: RegSvcs.exe modified
                          09:06:10AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          09:06:11Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          185.140.53.9t5R60D503x.exeGet hashmaliciousBrowse
                            GT_0397337_03987638BNG.exeGet hashmaliciousBrowse
                              1PH37n4Gva.exeGet hashmaliciousBrowse
                                malwa.exeGet hashmaliciousBrowse
                                  HDF_39837635_0398376HJD.exeGet hashmaliciousBrowse
                                    E0029876556_209876689.exeGet hashmaliciousBrowse
                                      BGD_03987365_0398736DSC.exeGet hashmaliciousBrowse
                                        DHL_AWB #9855452108.exeGet hashmaliciousBrowse
                                          Simo_Inquiry_FOB_Order_9820_xlsx.exeGet hashmaliciousBrowse
                                            Summer_richiesta_di_preventivo_070820.exeGet hashmaliciousBrowse
                                              RF172474228ES.exeGet hashmaliciousBrowse
                                                MAJDALANI INOX S.A Pedido 050820.exeGet hashmaliciousBrowse
                                                  MAJDALANI INOX SA Pedido.exeGet hashmaliciousBrowse
                                                    Correos de Espa#U00f1a Recibo de impresi#U00f3n de paquete retrasado.exeGet hashmaliciousBrowse
                                                      PDF_Tosoh-Inquiry.exeGet hashmaliciousBrowse
                                                        Tosoh inquiry list 30072020_PDF.exeGet hashmaliciousBrowse

                                                          Domains

                                                          No context

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          DAVID_CRAIGGGtmp2.exeGet hashmaliciousBrowse
                                                          • 185.140.53.71
                                                          tmp.exeGet hashmaliciousBrowse
                                                          • 185.140.53.71
                                                          NEW_ORDER.pdf.exeGet hashmaliciousBrowse
                                                          • 185.140.53.138
                                                          Doc_58YJ54-521DERG701-55YH701.exeGet hashmaliciousBrowse
                                                          • 185.140.53.230
                                                          Quotation_Request.pdf.exeGet hashmaliciousBrowse
                                                          • 185.140.53.138
                                                          FRQ_05694 revised quantity.exeGet hashmaliciousBrowse
                                                          • 185.140.53.69
                                                          INVOICE 15112021.xlsxGet hashmaliciousBrowse
                                                          • 185.140.53.130
                                                          URGENT_ORDER.pdf.exeGet hashmaliciousBrowse
                                                          • 185.140.53.138
                                                          IMG-001982-AW00173-SSE73I.exeGet hashmaliciousBrowse
                                                          • 185.140.53.230
                                                          FYI-Orderimg.exeGet hashmaliciousBrowse
                                                          • 185.140.53.67
                                                          Purchase_Order.pdf.exeGet hashmaliciousBrowse
                                                          • 185.140.53.138
                                                          PO-94765809570-Order pdf.exeGet hashmaliciousBrowse
                                                          • 185.140.53.7
                                                          Commercial E-invoice.exeGet hashmaliciousBrowse
                                                          • 185.140.53.137
                                                          Order23032021.xlsGet hashmaliciousBrowse
                                                          • 185.140.53.130
                                                          ZcQwvgqtuQ.exeGet hashmaliciousBrowse
                                                          • 91.193.75.245
                                                          lKIPqaYkKB.exeGet hashmaliciousBrowse
                                                          • 185.140.53.161
                                                          t5R60D503x.exeGet hashmaliciousBrowse
                                                          • 185.140.53.9
                                                          Purchase OrderDated19032021.xlsGet hashmaliciousBrowse
                                                          • 185.140.53.130
                                                          0u1JLpIwRo.exeGet hashmaliciousBrowse
                                                          • 185.140.53.139
                                                          PO-21322.xlsmGet hashmaliciousBrowse
                                                          • 185.165.153.116

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeDekont_12VK2102526 VAKIF KATILIM.exeGet hashmaliciousBrowse
                                                            taiwan.exeGet hashmaliciousBrowse
                                                              SWIFT COPY.exeGet hashmaliciousBrowse
                                                                GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                                                  purchase order.exeGet hashmaliciousBrowse
                                                                    Payment Advice.exeGet hashmaliciousBrowse
                                                                      Quotation.pdf...exeGet hashmaliciousBrowse
                                                                        PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                          money.exeGet hashmaliciousBrowse
                                                                            TT COPY.exeGet hashmaliciousBrowse
                                                                              $$$.exeGet hashmaliciousBrowse
                                                                                ORDER.exeGet hashmaliciousBrowse
                                                                                  PO-0561.exeGet hashmaliciousBrowse
                                                                                    Encrypted Documents.exeGet hashmaliciousBrowse
                                                                                      Statement of Account.exeGet hashmaliciousBrowse
                                                                                        PURCHASE ORDER COPY.exeGet hashmaliciousBrowse
                                                                                          GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                                                                            Wrong_Invoice.exeGet hashmaliciousBrowse
                                                                                              REQUEST FOR QUOTAION.exeGet hashmaliciousBrowse
                                                                                                New Order.exeGet hashmaliciousBrowse

                                                                                                  Created / dropped Files

                                                                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):45152
                                                                                                  Entropy (8bit):6.149629800481177
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                                  MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                                  SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                                  SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                                  SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: Dekont_12VK2102526 VAKIF KATILIM.exe, Detection: malicious, Browse
                                                                                                  • Filename: taiwan.exe, Detection: malicious, Browse
                                                                                                  • Filename: SWIFT COPY.exe, Detection: malicious, Browse
                                                                                                  • Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse
                                                                                                  • Filename: purchase order.exe, Detection: malicious, Browse
                                                                                                  • Filename: Payment Advice.exe, Detection: malicious, Browse
                                                                                                  • Filename: Quotation.pdf...exe, Detection: malicious, Browse
                                                                                                  • Filename: PURCHASE ORDER.exe, Detection: malicious, Browse
                                                                                                  • Filename: money.exe, Detection: malicious, Browse
                                                                                                  • Filename: TT COPY.exe, Detection: malicious, Browse
                                                                                                  • Filename: $$$.exe, Detection: malicious, Browse
                                                                                                  • Filename: ORDER.exe, Detection: malicious, Browse
                                                                                                  • Filename: PO-0561.exe, Detection: malicious, Browse
                                                                                                  • Filename: Encrypted Documents.exe, Detection: malicious, Browse
                                                                                                  • Filename: Statement of Account.exe, Detection: malicious, Browse
                                                                                                  • Filename: PURCHASE ORDER COPY.exe, Detection: malicious, Browse
                                                                                                  • Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse
                                                                                                  • Filename: Wrong_Invoice.exe, Detection: malicious, Browse
                                                                                                  • Filename: REQUEST FOR QUOTAION.exe, Detection: malicious, Browse
                                                                                                  • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ANS_309487487_#049844874.exe.log
                                                                                                  Process:C:\Users\user\Desktop\ANS_309487487_#049844874.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1216
                                                                                                  Entropy (8bit):5.355304211458859
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                  Malicious:false
                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:modified
                                                                                                  Size (bytes):142
                                                                                                  Entropy (8bit):5.090621108356562
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                                  MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                                  SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                                  SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                                  SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                                  Malicious:false
                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:modified
                                                                                                  Size (bytes):142
                                                                                                  Entropy (8bit):5.090621108356562
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                                  MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                                  SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                                  SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                                  SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                                  Malicious:false
                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                  C:\Users\user\AppData\Local\Temp\tmp6007.tmp
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1320
                                                                                                  Entropy (8bit):5.135668813522653
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mXxtn:cbk4oL600QydbQxIYODOLedq3ZXj
                                                                                                  MD5:8CAD1B41587CED0F1E74396794F31D58
                                                                                                  SHA1:11054BF74FCF5E8E412768035E4DAE43AA7B710F
                                                                                                  SHA-256:3086D914F6B23268F8A12CB1A05516CD5465C2577E1D1E449F1B45C8E5E8F83C
                                                                                                  SHA-512:99C2EF89029DE51A866DF932841684B7FC912DF21E10E2DD0D09E400203BBDC6CBA6319A31780B7BF8B286D2CEA8EA3FC7D084348BF2F002AB4F5A34218CCBEF
                                                                                                  Malicious:false
                                                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                                  C:\Users\user\AppData\Local\Temp\tmp6940.tmp
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1310
                                                                                                  Entropy (8bit):5.109425792877704
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                                                  Malicious:false
                                                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                                  C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp
                                                                                                  Process:C:\Users\user\Desktop\ANS_309487487_#049844874.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1651
                                                                                                  Entropy (8bit):5.180198443688216
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBVtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3d
                                                                                                  MD5:F59A4E52C5AF4407199142EDC5E26377
                                                                                                  SHA1:387755BD484FE5E07A8A7657955E9F15D0F08117
                                                                                                  SHA-256:6A9F77E90593E194E33E1F09D2543B640322912192AA07DB8599B5F1D4ED39A8
                                                                                                  SHA-512:3D407381E8E3C6ABE283BFE5DE37C1A2995C81A3C99A728D72A7B62FD56331464428EAD8C19DBC020AC59EB573180284A50D585840C5F87E87345815DD3DC224
                                                                                                  Malicious:true
                                                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2088
                                                                                                  Entropy (8bit):7.024371743172393
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCe
                                                                                                  MD5:0D6805D12813A857D50D42D6EE2CCAB0
                                                                                                  SHA1:78D83F009D842F21FE2AB0EAFFD00E5AAD1776F4
                                                                                                  SHA-256:182E0F8AA959549D61C66D049645BA8445D86AEAD2B8C3552A9836FA1E5BD484
                                                                                                  SHA-512:5B29496F3AB3CCB915CF37042F4956BB00E577B5F15457A5A739BE1BD50C481FB7E3297EED575DCA7A7BD30ECBC140DD3666CD7DEDD25DFB7AEB41A1B5BEDA4A
                                                                                                  Malicious:false
                                                                                                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8
                                                                                                  Entropy (8bit):3.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Pc9t:U
                                                                                                  MD5:19B475F1566BC5B63E8B39713E96CB7B
                                                                                                  SHA1:A3FEBA3421A1F88CDE6AF68D8632DF38C14A3D31
                                                                                                  SHA-256:49EE73A5135A3D3F5E3B25060369447755F89024BE23483C13B60FF47F657C4A
                                                                                                  SHA-512:F42BB7118C1E49DF91E55928E6B146B8AC11F7B42932B760E6D12673E0290CFE37F2F463747BDE79044210B04635C26A2AB6C18D036F7FDE35E3A579FA263219
                                                                                                  Malicious:true
                                                                                                  Preview: .Id....H
                                                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):57
                                                                                                  Entropy (8bit):4.830795005765378
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:oMty8WddSWA1KMNn:oMLW6WA1j
                                                                                                  MD5:08E799E8E9B4FDA648F2500A40A11933
                                                                                                  SHA1:AC76B5E20DED247803448A2F586731ED7D84B9F3
                                                                                                  SHA-256:D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
                                                                                                  SHA-512:5C5701A86156D573BE274E73615FD6236AC89630714863A4CB2639EEC8EC1BE746839EBF8A9AEBA0A9BE326AF6FA02D8F9BD7A93D3FFB139BADE945572DF5FE9
                                                                                                  Malicious:false
                                                                                                  Preview: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  C:\Users\user\AppData\Roaming\zgEmPmIdAWvDGJ.exe
                                                                                                  Process:C:\Users\user\Desktop\ANS_309487487_#049844874.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):988672
                                                                                                  Entropy (8bit):7.599577245128144
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:m1izcvE+woErFNL01jT9p6fUyCbTEUSOWPy6bwSc:mU+wBB9S6fFQrSX6g
                                                                                                  MD5:203109AD6D2EFDCA0BF52CAB63A7CE6A
                                                                                                  SHA1:471D5A99A2E8BFE03A9E119B327C45B6994FFAF6
                                                                                                  SHA-256:5E7E5B02D1DE0DA6B91520884A92AF6F7597FD2E39EC5B714BA089815785AD74
                                                                                                  SHA-512:8B567CEEB8EB7158495659687FAD6B74AE8F889604D8CC8AF7BF7FE8A6C4C931EF3622B55A6C7D8C16C5F8C6A25DE398ACBB8A245596DAA94AB3C72A6ACB0F55
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 38%
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Xl`..............0......(......*.... ... ....@.. ....................................@.....................................O.... ...%...................`....................................................... ............... ..H............text...0.... ...................... ..`.rsrc....%... ...&..................@..@.reloc.......`......................@..B........................H........g..\Q......Z...P....P...........................................0..n.........}.....(.......(......r...p.(....(....o......{.....(....o......{....r...p.(....(....o......{.....(....o.....*...0..`........(.........(.....o............,*....t......o....r-..p(......,...o......+..(....o....(......+...*.0...........(....o ...o!...o"....+..*...0..;........(.........(.....o............,..r-..p.+....t....o#....+..*..0..;........(.........(.....o............,..r-..p.+....t....o$.
                                                                                                  \Device\ConDrv
                                                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1141
                                                                                                  Entropy (8bit):4.44831826838854
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                                  MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                                  SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                                  SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                                  SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                                  Malicious:false
                                                                                                  Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Entropy (8bit):7.599577245128144
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                  File name:ANS_309487487_#049844874.exe
                                                                                                  File size:988672
                                                                                                  MD5:203109ad6d2efdca0bf52cab63a7ce6a
                                                                                                  SHA1:471d5a99a2e8bfe03a9e119b327c45b6994ffaf6
                                                                                                  SHA256:5e7e5b02d1de0da6b91520884a92af6f7597fd2e39ec5b714ba089815785ad74
                                                                                                  SHA512:8b567ceeb8eb7158495659687fad6b74ae8f889604d8cc8af7bf7fe8a6c4c931ef3622b55a6c7d8c16c5f8c6a25de398acbb8a245596daa94ab3c72a6acb0f55
                                                                                                  SSDEEP:24576:m1izcvE+woErFNL01jT9p6fUyCbTEUSOWPy6bwSc:mU+wBB9S6fFQrSX6g
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Xl`..............0......(......*.... ... ....@.. ....................................@................................

                                                                                                  File Icon

                                                                                                  Icon Hash:60c2d2d89484dc1c

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x4c0a2a
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                  Time Stamp:0x606C5803 [Tue Apr 6 12:45:55 2021 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  jmp dword ptr [00402000h]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xc09d80x4f.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x325e8.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xf60000xc.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x20000xbea300xbec00False0.93988445077data7.9483521266IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0xc20000x325e80x32600False0.303916912221data4.85960749449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0xf60000xc0x200False0.041015625data0.0776331623432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                  RT_ICON0xc22e00x7006PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                                                                                  RT_ICON0xc92e80x3580PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                  RT_ICON0xcc8680x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                                  RT_ICON0xdd0900x94a8data
                                                                                                  RT_ICON0xe65380x5488data
                                                                                                  RT_ICON0xeb9c00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294902776
                                                                                                  RT_ICON0xefbe80x25a8data
                                                                                                  RT_ICON0xf21900x10a8data
                                                                                                  RT_ICON0xf32380x988data
                                                                                                  RT_ICON0xf3bc00x468GLS_BINARY_LSB_FIRST
                                                                                                  RT_GROUP_ICON0xf40280x92data
                                                                                                  RT_VERSION0xf40bc0x33edata
                                                                                                  RT_MANIFEST0xf43fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  mscoree.dll_CorExeMain

                                                                                                  Version Infos

                                                                                                  DescriptionData
                                                                                                  Translation0x0000 0x04b0
                                                                                                  LegalCopyrightCopyright 2013 - 2021
                                                                                                  Assembly Version1.9.0.21
                                                                                                  InternalNameU.exe
                                                                                                  FileVersion1.9.0.21
                                                                                                  CompanyName
                                                                                                  LegalTrademarks
                                                                                                  Comments
                                                                                                  ProductNameLayered Styler
                                                                                                  ProductVersion1.9.0.21
                                                                                                  FileDescriptionLayered Styler
                                                                                                  OriginalFilenameU.exe

                                                                                                  Network Behavior

                                                                                                  Snort IDS Alerts

                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                  04/07/21-09:06:13.508131TCP2025019ET TROJAN Possible NanoCore C2 60B497091118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:06:22.447080TCP2025019ET TROJAN Possible NanoCore C2 60B497151118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:06:28.206968TCP2025019ET TROJAN Possible NanoCore C2 60B497191118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:06:34.440086TCP2025019ET TROJAN Possible NanoCore C2 60B497201118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:06:40.461048TCP2025019ET TROJAN Possible NanoCore C2 60B497221118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:06:46.536426TCP2025019ET TROJAN Possible NanoCore C2 60B497231118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:06:52.466731TCP2025019ET TROJAN Possible NanoCore C2 60B497241118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:06:57.696674TCP2025019ET TROJAN Possible NanoCore C2 60B497261118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:07:20.316455TCP2025019ET TROJAN Possible NanoCore C2 60B497351118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:07:26.457068TCP2025019ET TROJAN Possible NanoCore C2 60B497361118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:07:32.604394TCP2025019ET TROJAN Possible NanoCore C2 60B497381118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:07:41.176968TCP2025019ET TROJAN Possible NanoCore C2 60B497401118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:07:47.966544TCP2025019ET TROJAN Possible NanoCore C2 60B497411118192.168.2.5185.140.53.9
                                                                                                  04/07/21-09:07:54.950513TCP2025019ET TROJAN Possible NanoCore C2 60B497421118192.168.2.5185.140.53.9

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Apr 7, 2021 09:06:13.071259022 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:13.345798016 CEST111849709185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:13.345900059 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:13.508131027 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:13.774518013 CEST111849709185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:13.794981003 CEST111849709185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:13.806773901 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:14.085242033 CEST111849709185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:14.085453987 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:14.314754009 CEST111849709185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:14.534962893 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:14.657521009 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:14.817023039 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:14.925762892 CEST111849709185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:14.933578014 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:14.964658976 CEST111849709185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:14.968367100 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:15.005408049 CEST111849709185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:15.005661964 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:15.035629034 CEST111849709185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:15.035814047 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:15.055413008 CEST111849709185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:15.055608988 CEST497091118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:19.236116886 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:22.348040104 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:22.446363926 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:22.446463108 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:22.447079897 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:22.648147106 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:22.734726906 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:22.735241890 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:22.922859907 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:22.923072100 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.121344090 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.123116970 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.368674040 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.441032887 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.453001976 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.453195095 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.482443094 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.494613886 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.494749069 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.651871920 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.663697958 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.663873911 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.675789118 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.696500063 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.696646929 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.715296984 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.723474026 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.723654032 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.742367983 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.754738092 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.754905939 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.833262920 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.870568991 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.870687008 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.884780884 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.884848118 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.898178101 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.898327112 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.911798954 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.911887884 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.925776958 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.925849915 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.938056946 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.938142061 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.964909077 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.965002060 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.973136902 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.973215103 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.981427908 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.981513977 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:23.994460106 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:23.994529963 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:24.025948048 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:24.026071072 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:24.036422014 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:24.036499023 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:24.061844110 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:24.061902046 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:24.067998886 CEST111849715185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:24.068068027 CEST497151118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:27.963238001 CEST497191118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:28.206032038 CEST111849719185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:28.206212044 CEST497191118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:28.206968069 CEST497191118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:28.465496063 CEST111849719185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:28.486905098 CEST111849719185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:28.487360001 CEST497191118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:28.871505022 CEST111849719185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:28.872925043 CEST497191118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:29.060480118 CEST111849719185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:29.135443926 CEST497191118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:29.142662048 CEST111849719185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:29.142817974 CEST497191118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:29.146958113 CEST111849719185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:29.147099972 CEST497191118192.168.2.5185.140.53.9
                                                                                                  Apr 7, 2021 09:06:29.151454926 CEST111849719185.140.53.9192.168.2.5
                                                                                                  Apr 7, 2021 09:06:29.151568890 CEST497191118192.168.2.5185.140.53.9

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Apr 7, 2021 09:05:43.285545111 CEST6206053192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:05:43.298794031 CEST53620608.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:05:43.314178944 CEST6530753192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:05:43.327506065 CEST53653078.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:05:43.362580061 CEST6180553192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:05:43.374855042 CEST53618058.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:05:47.394865990 CEST5479553192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:05:47.407481909 CEST53547958.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:05:48.378079891 CEST4955753192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:05:48.393063068 CEST53495578.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:05:50.323812008 CEST6173353192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:05:50.336774111 CEST53617338.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:05:55.078866959 CEST6544753192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:05:55.091243029 CEST53654478.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:11.759711027 CEST5244153192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:12.778274059 CEST5244153192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:12.791774035 CEST53524418.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:13.459623098 CEST6217653192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:13.477528095 CEST53621768.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:16.342705011 CEST5959653192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:16.355904102 CEST53595968.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:17.039968014 CEST6529653192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:17.052984953 CEST53652968.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:17.537570953 CEST6318353192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:17.550870895 CEST53631838.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:19.049269915 CEST6015153192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:19.229712009 CEST53601518.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:21.596417904 CEST5696953192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:21.608889103 CEST53569698.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:22.647125959 CEST5516153192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:22.660080910 CEST53551618.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:24.949235916 CEST5475753192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:24.964416981 CEST53547578.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:27.948117018 CEST4999253192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:27.961658955 CEST53499928.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:34.214905024 CEST6007553192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:34.227855921 CEST53600758.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:35.420773029 CEST5501653192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:35.439161062 CEST53550168.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:40.253118992 CEST6434553192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:40.266549110 CEST53643458.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:46.295386076 CEST5712853192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:46.307823896 CEST53571288.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:52.268774986 CEST5479153192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:52.282419920 CEST53547918.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:55.857532024 CEST5046353192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:55.890573025 CEST53504638.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:57.263880968 CEST5039453192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:57.446436882 CEST53503948.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:58.466825008 CEST5853053192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:58.480253935 CEST53585308.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:59.214893103 CEST5381353192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:59.227873087 CEST53538138.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:06:59.622144938 CEST6373253192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:06:59.640738010 CEST53637328.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:07:03.308799982 CEST5734453192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:07:03.322525978 CEST53573448.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:07:19.901367903 CEST5445053192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:07:20.084091902 CEST53544508.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:07:26.252872944 CEST5926153192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:07:26.265705109 CEST53592618.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:07:30.485004902 CEST5715153192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:07:30.497556925 CEST53571518.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:07:32.351288080 CEST5941353192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:07:32.364850998 CEST53594138.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:07:36.925448895 CEST6051653192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:07:36.957753897 CEST53605168.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:07:40.743916988 CEST5164953192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:07:40.926371098 CEST53516498.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:07:47.746645927 CEST6508653192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:07:47.759985924 CEST53650868.8.8.8192.168.2.5
                                                                                                  Apr 7, 2021 09:07:54.722879887 CEST5643253192.168.2.58.8.8.8
                                                                                                  Apr 7, 2021 09:07:54.735752106 CEST53564328.8.8.8192.168.2.5

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                  Apr 7, 2021 09:06:11.759711027 CEST192.168.2.58.8.8.80x2a45Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:12.778274059 CEST192.168.2.58.8.8.80x2a45Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:19.049269915 CEST192.168.2.58.8.8.80xb260Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:27.948117018 CEST192.168.2.58.8.8.80x3471Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:34.214905024 CEST192.168.2.58.8.8.80xd042Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:40.253118992 CEST192.168.2.58.8.8.80x64aaStandard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:46.295386076 CEST192.168.2.58.8.8.80x8f51Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:52.268774986 CEST192.168.2.58.8.8.80xd64Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:57.263880968 CEST192.168.2.58.8.8.80x3a08Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:03.308799982 CEST192.168.2.58.8.8.80x99f4Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:19.901367903 CEST192.168.2.58.8.8.80xe1c9Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:26.252872944 CEST192.168.2.58.8.8.80xd4b6Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:32.351288080 CEST192.168.2.58.8.8.80xfd97Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:40.743916988 CEST192.168.2.58.8.8.80x4306Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:47.746645927 CEST192.168.2.58.8.8.80x1b09Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:54.722879887 CEST192.168.2.58.8.8.80x43d1Standard query (0)myhustle.duckdns.orgA (IP address)IN (0x0001)

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                  Apr 7, 2021 09:06:12.791774035 CEST8.8.8.8192.168.2.50x2a45No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:19.229712009 CEST8.8.8.8192.168.2.50xb260No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:27.961658955 CEST8.8.8.8192.168.2.50x3471No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:34.227855921 CEST8.8.8.8192.168.2.50xd042No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:40.266549110 CEST8.8.8.8192.168.2.50x64aaNo error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:46.307823896 CEST8.8.8.8192.168.2.50x8f51No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:52.282419920 CEST8.8.8.8192.168.2.50xd64No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:06:57.446436882 CEST8.8.8.8192.168.2.50x3a08No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:03.322525978 CEST8.8.8.8192.168.2.50x99f4No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:20.084091902 CEST8.8.8.8192.168.2.50xe1c9No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:26.265705109 CEST8.8.8.8192.168.2.50xd4b6No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:32.364850998 CEST8.8.8.8192.168.2.50xfd97No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:40.926371098 CEST8.8.8.8192.168.2.50x4306No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:47.759985924 CEST8.8.8.8192.168.2.50x1b09No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)
                                                                                                  Apr 7, 2021 09:07:54.735752106 CEST8.8.8.8192.168.2.50x43d1No error (0)myhustle.duckdns.org185.140.53.9A (IP address)IN (0x0001)

                                                                                                  Code Manipulations

                                                                                                  Statistics

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Start time:09:05:49
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Users\user\Desktop\ANS_309487487_#049844874.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user\Desktop\ANS_309487487_#049844874.exe'
                                                                                                  Imagebase:0xdc0000
                                                                                                  File size:988672 bytes
                                                                                                  MD5 hash:203109AD6D2EFDCA0BF52CAB63A7CE6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  Reputation:low

                                                                                                  General

                                                                                                  Start time:09:06:00
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp'
                                                                                                  Imagebase:0x13c0000
                                                                                                  File size:185856 bytes
                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Start time:09:06:00
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Start time:09:06:01
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:{path}
                                                                                                  Imagebase:0xc60000
                                                                                                  File size:45152 bytes
                                                                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497316492.0000000006DB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497316492.0000000006DB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497195825.0000000006D40000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497195825.0000000006D40000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497368728.0000000006DF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497368728.0000000006DF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497254796.0000000006D80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497254796.0000000006D80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.495352573.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.495352573.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497240382.0000000006D70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497240382.0000000006D70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497299959.0000000006DA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497299959.0000000006DA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.496076693.00000000064E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.496076693.00000000064E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497154583.0000000006D20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497154583.0000000006D20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497176371.0000000006D30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497176371.0000000006D30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Start time:09:06:06
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6007.tmp'
                                                                                                  Imagebase:0xdd0000
                                                                                                  File size:185856 bytes
                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Start time:09:06:07
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Start time:09:06:08
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6940.tmp'
                                                                                                  Imagebase:0x7ff797770000
                                                                                                  File size:185856 bytes
                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Start time:09:06:09
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Start time:09:06:10
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
                                                                                                  Imagebase:0xb30000
                                                                                                  File size:45152 bytes
                                                                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Start time:09:06:11
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Start time:09:06:11
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                                                  Imagebase:0x40000
                                                                                                  File size:45152 bytes
                                                                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 0%, Metadefender, Browse
                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Start time:09:06:11
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Start time:09:06:19
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                                                  Imagebase:0x2a0000
                                                                                                  File size:45152 bytes
                                                                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Start time:09:06:19
                                                                                                  Start date:07/04/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Disassembly

                                                                                                  Code Analysis

                                                                                                  Reset < >