Analysis Report LIST OF POEA DELISTED AGENCIES.pdf.exe

Overview

General Information

Sample Name: LIST OF POEA DELISTED AGENCIES.pdf.exe
Analysis ID: 383708
MD5: 170934b168c75ed396332a6af365a478
SHA1: 9089f509aae08997e6c8da1a33f3c5156a6f06bc
SHA256: 1b7d2ae0faed1db793cfcf75e11cc0308c69af37540d27b9dbd104d0f850a658
Tags: exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "a8eeb35c-017d-4116-8f99-efe29258", "Group": "uuu", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for domain / URL
Source: shahzad73.casacam.net Virustotal: Detection: 5% Perma Link
Source: shahzad73.ddns.net Virustotal: Detection: 5% Perma Link
Yara detected Nanocore RAT
Source: Yara match File source: 00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.505287922.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.294311257.0000000003869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.497876017.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.308929356.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.493270074.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.501964198.0000000003F3F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.309746032.0000000003421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502093667.0000000003FEF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.259633262.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 6836, type: MEMORY
Source: Yara match File source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 5592, type: MEMORY
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff8b69.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5784629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.446b7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a91678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.4474c35.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3de9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a01678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fef70a.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3dee5cf.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3df81d4.6.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.unpack Avira: Label: TR/NanoCore.fadte
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorlib.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.496438709.00000000010B1000.00000004.00000020.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.496453715.00000000010B4000.00000004.00000020.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_066DBC38

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49705 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49706 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49708 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49712 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49718 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49720 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49730 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49731 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49732 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49733 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49736 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49737 -> 79.134.225.9:9036
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49738 -> 79.134.225.9:9036
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: shahzad73.ddns.net
Source: Malware configuration extractor URLs: shahzad73.casacam.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 79.134.225.9:9036
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.134.225.9 79.134.225.9
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
Source: unknown DNS traffic detected: queries for: shahzad73.casacam.net
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp String found in binary or memory: http://google.com
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.270340865.0000000007421000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300872246.0000000006FD1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.258728477.0000000000A17000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.258728477.0000000000A17000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comrY.
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.258728477.0000000000A17000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comueva
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.266816780.00000000068B2000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.299600592.0000000005790000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe String found in binary or memory: https://github.com/michel-pi/EasyBot.Net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.505287922.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.294311257.0000000003869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.497876017.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.308929356.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.493270074.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.501964198.0000000003F3F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.309746032.0000000003421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502093667.0000000003FEF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.259633262.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 6836, type: MEMORY
Source: Yara match File source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 5592, type: MEMORY
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff8b69.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5784629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.446b7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a91678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.4474c35.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3de9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a01678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fef70a.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3dee5cf.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3df81d4.6.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.504910894.0000000005340000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.505287922.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.505774970.0000000006620000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.294311257.0000000003869000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.294311257.0000000003869000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.505788129.0000000006630000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.505834895.0000000006670000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.505731790.00000000065F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.505705551.00000000065D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.505744453.0000000006600000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.505679942.00000000065B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.502325933.00000000040DD000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.505693803.00000000065C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.505618683.0000000006560000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.505717572.00000000065E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.308929356.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.308929356.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.493270074.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.493270074.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.505218094.0000000005550000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.501964198.0000000003F3F000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.505667640.00000000065A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.309746032.0000000003421000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.502093667.0000000003FEF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.259633262.00000000038F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.259633262.00000000038F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.498112941.0000000002E4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 6836, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 6836, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 5592, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 5592, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2eb60d8.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65c0000.28.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65d0000.29.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65f0000.31.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.345c48c.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fa365e.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65b0000.27.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6600000.32.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65f0000.31.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3de9930.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41e83f7.16.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41e83f7.16.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fb7c89.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff8b69.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65e0000.30.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6630000.35.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fb7c89.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff8b69.12.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41ff656.15.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2eb60d8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2eb60d8.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2ed69e4.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2ed69e4.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.663e8a4.34.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6670000.37.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6620000.33.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6560000.25.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41f1226.17.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65b0000.27.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5784629.21.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65d0000.29.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2ec2364.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41e83f7.16.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fa365e.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fa365e.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.446b7d6.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.446b7d6.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5550000.20.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6670000.37.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65e0000.30.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41ff656.15.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6600000.32.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2e0ca0c.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6560000.25.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a91678.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a91678.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5550000.20.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65a0000.26.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3f9742c.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3f9742c.11.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6620000.33.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6634c9f.36.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5340000.19.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3f9742c.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6630000.35.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.4474c35.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3de9930.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41f1226.17.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a01678.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a01678.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fef70a.14.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fef70a.14.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2ec2364.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2ec2364.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3dee5cf.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3df81d4.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: LIST OF POEA DELISTED AGENCIES.pdf.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02770B70 0_2_02770B70
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02775770 0_2_02775770
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_027787ED 0_2_027787ED
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_027767C8 0_2_027767C8
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02776568 0_2_02776568
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02774D98 0_2_02774D98
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02776230 0_2_02776230
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02776221 0_2_02776221
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02770AD0 0_2_02770AD0
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02772370 0_2_02772370
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02772361 0_2_02772361
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02775B60 0_2_02775B60
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02775B50 0_2_02775B50
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02770040 0_2_02770040
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02775038 0_2_02775038
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_0277502B 0_2_0277502B
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02770007 0_2_02770007
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_027720C0 0_2_027720C0
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_027720B9 0_2_027720B9
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02778958 0_2_02778958
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02775763 0_2_02775763
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_027767B8 0_2_027767B8
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02773C30 0_2_02773C30
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02773C1F 0_2_02773C1F
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02776558 0_2_02776558
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_02774D88 0_2_02774D88
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028DC204 0_2_028DC204
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028DE627 0_2_028DE627
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028DE630 0_2_028DE630
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_0100E471 7_2_0100E471
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_0100E480 7_2_0100E480
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_0100BBD4 7_2_0100BBD4
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_0526F5F8 7_2_0526F5F8
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_05269788 7_2_05269788
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_0526A610 7_2_0526A610
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_066D0040 7_2_066D0040
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_066D9D18 7_2_066D9D18
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_066D8DC8 7_2_066D8DC8
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_066D9A9E 7_2_066D9A9E
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_066D99E0 7_2_066D99E0
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_0263C204 11_2_0263C204
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_0263E623 11_2_0263E623
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_0263E630 11_2_0263E630
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C56E8 11_2_026C56E8
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C6740 11_2_026C6740
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C64E0 11_2_026C64E0
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C0B70 11_2_026C0B70
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C4D98 11_2_026C4D98
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C2370 11_2_026C2370
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C0040 11_2_026C0040
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C502A 11_2_026C502A
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C5038 11_2_026C5038
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C0007 11_2_026C0007
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C20C0 11_2_026C20C0
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C61A8 11_2_026C61A8
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C619A 11_2_026C619A
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C5AC8 11_2_026C5AC8
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C5AD8 11_2_026C5AD8
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C3C30 11_2_026C3C30
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026C4D88 11_2_026C4D88
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_04D50128 11_2_04D50128
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_04D56668 11_2_04D56668
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_04D50123 11_2_04D50123
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_0528E7D8 11_2_0528E7D8
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_0528DC34 11_2_0528DC34
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_05280448 11_2_05280448
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_0528A167 11_2_0528A167
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_0528A1A0 11_2_0528A1A0
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_0528F368 11_2_0528F368
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_05280B60 11_2_05280B60
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_05285A80 11_2_05285A80
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 19_2_0193E480 19_2_0193E480
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 19_2_0193E471 19_2_0193E471
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 19_2_0193BBD4 19_2_0193BBD4
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 19_2_059DF5F8 19_2_059DF5F8
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 19_2_059D9788 19_2_059D9788
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 19_2_059DA5E1 19_2_059DA5E1
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 19_2_059DA602 19_2_059DA602
Sample file is different than original file name gathered from version info
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.270268219.0000000007380000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.259547277.00000000028F1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMetroFramework.dll> vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.268983784.00000000070B0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.258333307.00000000004BC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameJ( vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.270934585.000000000F170000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.494394647.00000000009DC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameJ( vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.496068357.000000000101A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.505774970.0000000006620000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.506146009.00000000071E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.505486753.0000000006230000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300582699.0000000006CD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.289207075.00000000004EC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameJ( vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300678472.0000000006D90000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300766167.0000000006E40000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMetroFramework.dll> vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300496064.0000000006910000.00000002.00000001.sdmp Binary or memory string: originalfilename vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300496064.0000000006910000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.302055679.0000000009350000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000013.00000000.287148486.000000000107C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameJ( vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe Binary or memory string: OriginalFilenameJ( vs LIST OF POEA DELISTED AGENCIES.pdf.exe
Uses 32bit PE files
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000007.00000002.504910894.0000000005340000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.504910894.0000000005340000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.505287922.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505287922.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.505774970.0000000006620000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505774970.0000000006620000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.294311257.0000000003869000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.294311257.0000000003869000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.505788129.0000000006630000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505788129.0000000006630000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.505834895.0000000006670000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505834895.0000000006670000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.505731790.00000000065F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505731790.00000000065F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.505705551.00000000065D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505705551.00000000065D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.505744453.0000000006600000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505744453.0000000006600000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.505679942.00000000065B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505679942.00000000065B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.502325933.00000000040DD000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.505693803.00000000065C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505693803.00000000065C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.505618683.0000000006560000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505618683.0000000006560000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.505717572.00000000065E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505717572.00000000065E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.308929356.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.308929356.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.493270074.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.493270074.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.505218094.0000000005550000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505218094.0000000005550000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.501964198.0000000003F3F000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.505667640.00000000065A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.505667640.00000000065A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.309746032.0000000003421000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.502093667.0000000003FEF000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.259633262.00000000038F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.259633262.00000000038F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.498112941.0000000002E4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 6836, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 6836, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 5592, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 5592, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2eb60d8.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2eb60d8.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65c0000.28.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65c0000.28.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65d0000.29.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65d0000.29.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65f0000.31.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65f0000.31.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.345c48c.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.345c48c.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fa365e.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fa365e.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65b0000.27.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65b0000.27.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6600000.32.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6600000.32.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65f0000.31.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65f0000.31.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3de9930.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3de9930.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41e83f7.16.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41e83f7.16.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41e83f7.16.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fb7c89.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fb7c89.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff8b69.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65e0000.30.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6630000.35.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6630000.35.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65e0000.30.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fb7c89.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff8b69.12.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41ff656.15.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41ff656.15.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2eb60d8.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2eb60d8.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2ed69e4.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2ed69e4.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.663e8a4.34.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.663e8a4.34.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6670000.37.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6670000.37.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6620000.33.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6620000.33.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6560000.25.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6560000.25.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41f1226.17.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41f1226.17.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65b0000.27.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65b0000.27.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5784629.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5784629.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65d0000.29.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65d0000.29.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2ec2364.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2ec2364.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41e83f7.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41e83f7.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fa365e.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fa365e.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fa365e.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.446b7d6.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.446b7d6.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.446b7d6.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5550000.20.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5550000.20.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6670000.37.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6670000.37.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65e0000.30.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65e0000.30.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41ff656.15.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41ff656.15.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6600000.32.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6600000.32.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2e0ca0c.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2e0ca0c.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6560000.25.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6560000.25.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a91678.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a91678.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5550000.20.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5550000.20.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65a0000.26.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.65a0000.26.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3f9742c.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3f9742c.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3f9742c.11.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6620000.33.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6620000.33.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6634c9f.36.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6634c9f.36.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5340000.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5340000.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3f9742c.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3f9742c.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6630000.35.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.6630000.35.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.4474c35.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.4474c35.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3de9930.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41f1226.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.41f1226.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a01678.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a01678.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fef70a.14.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fef70a.14.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2ec2364.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.2ec2364.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3dee5cf.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3df81d4.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lYcqUUrbhRC.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: classification engine Classification label: mal100.troj.evad.winEXE@15/8@15/1
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe File created: C:\Users\user\AppData\Roaming\lYcqUUrbhRC.exe Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{a8eeb35c-017d-4116-8f99-efe2925862de}
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\UFQVOTY
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp Jump to behavior
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe File read: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe 'C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe'
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lYcqUUrbhRC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe {path}
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB457.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe 'C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe' 0
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lYcqUUrbhRC' /XML 'C:\Users\user\AppData\Local\Temp\tmp5375.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe {path}
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lYcqUUrbhRC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp' Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB457.tmp' Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lYcqUUrbhRC' /XML 'C:\Users\user\AppData\Local\Temp\tmp5375.tmp' Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorlib.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.496438709.00000000010B1000.00000004.00000020.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.496453715.00000000010B4000.00000004.00000020.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: lYcqUUrbhRC.exe.0.dr, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 0.0.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 7.0.LIST OF POEA DELISTED AGENCIES.pdf.exe.920000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.920000.1.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.430000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 11.0.LIST OF POEA DELISTED AGENCIES.pdf.exe.430000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 19.0.LIST OF POEA DELISTED AGENCIES.pdf.exe.fc0000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.fc0000.1.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
.NET source code contains potential unpacker
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_0277BAA5 push FFFFFF8Bh; iretd 0_2_0277BAA7
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028D4219 push ebp; retf 0004h 0_2_028D421A
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028D40C0 push ecx; retf 0004h 0_2_028D40C2
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028D4490 push edi; retf 0004h 0_2_028D4492
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028D4442 push edi; retf 0004h 0_2_028D444A
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028DB2B9 pushfd ; retf 0004h 0_2_028DB2BA
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028DB220 pushfd ; retf 0004h 0_2_028DB222
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028DB250 pushfd ; retf 0004h 0_2_028DB252
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028DB30F pushfd ; retf 0004h 0_2_028DB312
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028DB191 pushfd ; retf 0004h 0_2_028DB192
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 0_2_028DB1F1 pushfd ; retf 0004h 0_2_028DB1F2
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_052669F8 pushad ; retf 7_2_052669F9
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_066DD22B push ecx; retf 7_2_066DD249
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 7_2_066DBFE0 pushad ; ret 7_2_066DBFE1
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_02634219 push ebp; retf 11_2_0263421A
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026342D3 push edi; retf 11_2_026342D6
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026342D0 push edi; retf 11_2_026342D2
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026342D7 push edi; retf 11_2_026342DA
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026340C3 push ecx; retf 11_2_026340CA
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026340C0 push ecx; retf 11_2_026340C2
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_02634123 push ecx; retf 11_2_02634126
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_02634120 push ecx; retf 11_2_02634122
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_02634127 push ecx; retf 11_2_0263412A
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_026341E3 push esp; retf 11_2_026341EA
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_02634442 push edi; retf 11_2_0263444A
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_0263444B push edi; retf 11_2_02634452
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_02634493 push edi; retf 11_2_0263449A
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_02634490 push edi; retf 11_2_02634492
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_0263B250 pushfd ; retf 11_2_0263B252
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_0263B30F pushfd ; retf 11_2_0263B312
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Code function: 11_2_0263B313 pushfd ; retf 11_2_0263B31A
Source: initial sample Static PE information: section name: .text entropy: 7.90065645819
Source: initial sample Static PE information: section name: .text entropy: 7.90065645819
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe File created: C:\Users\user\AppData\Roaming\lYcqUUrbhRC.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lYcqUUrbhRC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe File opened: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe:Zone.Identifier read attributes | delete Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: LIST OF POEA DELISTED AGENCIES.pdf.exe
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 6380, type: MEMORY
Source: Yara match File source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 204, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.270340865.0000000007421000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300872246.0000000006FD1000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000000.00000002.270340865.0000000007421000.00000004.00000001.sdmp, LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300872246.0000000006FD1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Window / User API: threadDelayed 4781 Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Window / User API: threadDelayed 4574 Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Window / User API: foregroundWindowGot 888 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe TID: 3952 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe TID: 5088 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe TID: 6308 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe TID: 6384 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe TID: 6408 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe TID: 6924 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Thread delayed: delay time: 31500 Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Thread delayed: delay time: 31500 Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300872246.0000000006FD1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.506146009.00000000071E0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300872246.0000000006FD1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300872246.0000000006FD1000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300872246.0000000006FD1000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300872246.0000000006FD1000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300872246.0000000006FD1000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.506146009.00000000071E0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.506146009.00000000071E0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300872246.0000000006FD1000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300872246.0000000006FD1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 0000000B.00000002.300872246.0000000006FD1000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.496471580.00000000010BE000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.506146009.00000000071E0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: lYcqUUrbhRC.exe.0.dr, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 0.0.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 7.0.LIST OF POEA DELISTED AGENCIES.pdf.exe.920000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.920000.1.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.430000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 11.0.LIST OF POEA DELISTED AGENCIES.pdf.exe.430000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Source: 19.0.LIST OF POEA DELISTED AGENCIES.pdf.exe.fc0000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.fc0000.1.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Memory written: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Memory written: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lYcqUUrbhRC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp' Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB457.tmp' Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lYcqUUrbhRC' /XML 'C:\Users\user\AppData\Local\Temp\tmp5375.tmp' Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Process created: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe {path} Jump to behavior
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.505469950.000000000622D000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.497349750.00000000017D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.497349750.00000000017D0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.497349750.00000000017D0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501627661.0000000003217000.00000004.00000001.sdmp Binary or memory string: Program Manager4af
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.505989014.0000000006A9D000.00000004.00000010.sdmp Binary or memory string: Program Manager H
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.497349750.00000000017D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.497349750.00000000017D0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501293148.0000000003185000.00000004.00000001.sdmp Binary or memory string: Program Manager`
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.498112941.0000000002E4C000.00000004.00000001.sdmp Binary or memory string: Program Manager

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LIST OF POEA DELISTED AGENCIES.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.505287922.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.294311257.0000000003869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.497876017.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.308929356.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.493270074.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.501964198.0000000003F3F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.309746032.0000000003421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502093667.0000000003FEF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.259633262.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 6836, type: MEMORY
Source: Yara match File source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 5592, type: MEMORY
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff8b69.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5784629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.446b7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a91678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.4474c35.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3de9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a01678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fef70a.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3dee5cf.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3df81d4.6.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.505774970.0000000006620000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: LIST OF POEA DELISTED AGENCIES.pdf.exe, 00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000013.00000002.309866896.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.505287922.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.294311257.0000000003869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.497876017.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.501649897.0000000003DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.308929356.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.493270074.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.501964198.0000000003F3F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.309746032.0000000003421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502093667.0000000003FEF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.259633262.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 6836, type: MEMORY
Source: Yara match File source: Process Memory Space: LIST OF POEA DELISTED AGENCIES.pdf.exe PID: 5592, type: MEMORY
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff8b69.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.447060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5780000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.5784629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.446b7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a91678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3b44498.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.4474c35.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ae70c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3de9930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3a01678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3fef70a.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3ff4540.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3dee5cf.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LIST OF POEA DELISTED AGENCIES.pdf.exe.3df81d4.6.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383708 Sample: LIST OF POEA DELISTED AGENC... Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 14 other signatures 2->49 8 LIST OF POEA DELISTED AGENCIES.pdf.exe 6 2->8         started        12 LIST OF POEA DELISTED AGENCIES.pdf.exe 4 2->12         started        process3 file4 33 C:\Users\user\AppData\Local\...\tmp1EF7.tmp, XML 8->33 dropped 35 C:\Users\user\AppData\...\lYcqUUrbhRC.exe, PE32 8->35 dropped 51 Injects a PE file into a foreign processes 8->51 14 LIST OF POEA DELISTED AGENCIES.pdf.exe 9 8->14         started        19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 12->21         started        23 LIST OF POEA DELISTED AGENCIES.pdf.exe 2 12->23         started        signatures5 process6 dnsIp7 39 shahzad73.casacam.net 79.134.225.9, 49705, 49706, 49708 FINK-TELECOM-SERVICESCH Switzerland 14->39 37 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 14->37 dropped 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->41 25 schtasks.exe 1 14->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 25->31         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.134.225.9
 shahzad73.casacam.net Switzerland
6775 FINK-TELECOM-SERVICESCH true

Contacted Domains

Name IP Active
shahzad73.casacam.net 79.134.225.9 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
shahzad73.ddns.net true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
shahzad73.casacam.net true
  • Avira URL Cloud: safe
 unknown