Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report zunUbtZ2Y3.exe

Overview

General Information

Sample Name:zunUbtZ2Y3.exe
Analysis ID:384233
MD5:5ea59097fb7eed4ac42b666ac548d39c
SHA1:919a1f62dc0358405d1d8a07dd9c1c7f1a6c1d87
SHA256:b4457b3e745bbed3ab4d61442ae846c3a06d42280c2937e406e48fea05fed6e0
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Protects its processes via BreakOnTermination flag
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • zunUbtZ2Y3.exe (PID: 4728 cmdline: 'C:\Users\user\Desktop\zunUbtZ2Y3.exe' MD5: 5EA59097FB7EED4AC42B666AC548D39C)
    • nfiuc.pif (PID: 984 cmdline: 'C:\Users\user\AppData\Roaming\22032878\nfiuc.pif' xaso.fhr MD5: 51663CBA5E7E841A0443112BF5E57049)
      • RegSvcs.exe (PID: 5660 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • schtasks.exe (PID: 5844 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E2B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5556 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4272.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 2864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 5036 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 1472 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • nfiuc.pif (PID: 1380 cmdline: 'C:\Users\user\AppData\Roaming\22032878\nfiuc.pif' C:\Users\user\AppData\Roaming\22032878\xaso.fhr MD5: 51663CBA5E7E841A0443112BF5E57049)
    • RegSvcs.exe (PID: 4876 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 4612 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\22032878\Update.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • dhcpmon.exe (PID: 2044 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "8080abe9-dca0-4fda-b289-40c56bb7", "Group": "FREE", "Domain1": "strongodss.ddns.net", "Domain2": "79.134.225.40", "Port": 48154, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x10c2d:$x1: NanoCore.ClientPluginHost
  • 0x10c6a:$x2: IClientNetworkHost
  • 0x1479d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10995:$a: NanoCore
    • 0x109a5:$a: NanoCore
    • 0x10bd9:$a: NanoCore
    • 0x10bed:$a: NanoCore
    • 0x10c2d:$a: NanoCore
    • 0x109f4:$b: ClientPlugin
    • 0x10bf6:$b: ClientPlugin
    • 0x10c36:$b: ClientPlugin
    • 0x10b1b:$c: ProjectData
    • 0x11522:$d: DESCrypto
    • 0x18eee:$e: KeepAlive
    • 0x16edc:$g: LogClientMessage
    • 0x130d7:$i: get_Connected
    • 0x11858:$j: #=q
    • 0x11888:$j: #=q
    • 0x118a4:$j: #=q
    • 0x118d4:$j: #=q
    • 0x118f0:$j: #=q
    • 0x1190c:$j: #=q
    • 0x1193c:$j: #=q
    • 0x11958:$j: #=q
    0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 125 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.3.nfiuc.pif.4272830.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      1.3.nfiuc.pif.4272830.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      1.3.nfiuc.pif.4272830.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        1.3.nfiuc.pif.4272830.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        2.2.RegSvcs.exe.391560b.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1646:$x1: NanoCore.ClientPluginHost
        • 0x151e3:$x1: NanoCore.ClientPluginHost
        • 0x2e182:$x1: NanoCore.ClientPluginHost
        • 0x15210:$x2: IClientNetworkHost
        • 0x2e1af:$x2: IClientNetworkHost
        Click to see the 126 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5660, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E2B.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E2B.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentImage: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentProcessId: 5660, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E2B.tmp', ProcessId: 5844

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "8080abe9-dca0-4fda-b289-40c56bb7", "Group": "FREE", "Domain1": "strongodss.ddns.net", "Domain2": "79.134.225.40", "Port": 48154, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: strongodss.ddns.netVirustotal: Detection: 8%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifMetadefender: Detection: 16%Perma Link
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifReversingLabs: Detection: 44%
        Multi AV Scanner detection for submitted fileShow sources
        Source: zunUbtZ2Y3.exeVirustotal: Detection: 42%Perma Link
        Source: zunUbtZ2Y3.exeReversingLabs: Detection: 54%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.708271591.0000000004718000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677255613.000000000423F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677318458.0000000004272000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679566684.00000000041A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679501436.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.923227276.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710662958.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710938676.0000000004611000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707826555.00000000046AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710381105.000000000467A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679383356.000000000420A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.678729204.0000000004155000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.927044565.00000000060B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676679410.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707511293.000000000467A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.709101376.00000000039C8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677221211.000000000420A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677158257.000000000420A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676738123.0000000004155000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707372891.00000000046AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676806998.00000000041A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710427838.00000000046E2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707926521.00000000046E3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710514323.00000000046E2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676882345.0000000004121000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707412308.0000000004611000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.709214730.00000000039A5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707670444.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707301176.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710256620.00000000046AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.922381074.0000000000502000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679249376.0000000004121000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.924061373.0000000003909000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.708173598.00000000046E3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677081542.0000000004155000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.732316965.0000000003431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: nfiuc.pif PID: 984, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4876, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5660, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: nfiuc.pif PID: 1380, type: MEMORY
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.391560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.4679e70.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.391b041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.448560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.448b041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.44807ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.4679e70.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.448b041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.60b4629.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.4645668.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.41d4c00.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.d00000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.391b041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.39107ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46ae678.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.4.raw.unpack, type: UNPACKEDPE
        Source: 2.2.RegSvcs.exe.60b0000.11.unpackAvira: Label: TR/NanoCore.fadte
        Source: 2.2.RegSvcs.exe.500000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.2.RegSvcs.exe.d00000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: zunUbtZ2Y3.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: zunUbtZ2Y3.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: zunUbtZ2Y3.exe
        Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000000.677858519.0000000000072000.00000002.00020000.sdmp, RegSvcs.exe, 00000007.00000002.694635548.0000000000FF2000.00000002.00020000.sdmp, dhcpmon.exe, 00000009.00000002.697960296.0000000000062000.00000002.00020000.sdmp, RegSvcs.exe, 0000000C.00000000.708928174.00000000008E2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.733978746.0000000000942000.00000002.00020000.sdmp, dhcpmon.exe.2.dr
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000002.00000002.923227276.00000000028C1000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmp
        Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: RegSvcs.exe, 00000007.00000002.695470154.0000000005920000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.699203084.00000000022D0000.00000002.00000001.sdmp
        Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, dhcpmon.exe, RegSvcs.exe, 0000000C.00000000.708928174.00000000008E2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.733978746.0000000000942000.00000002.00020000.sdmp, dhcpmon.exe.2.dr
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0135A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01379FD3 FindFirstFileExA,
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00F1399B GetFileAttributesW,FindFirstFileW,FindClose,
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00F1399B GetFileAttributesW,FindFirstFileW,FindClose,

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: 79.134.225.40
        Source: Malware configuration extractorURLs: strongodss.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: strongodss.ddns.net
        Source: global trafficTCP traffic: 192.168.2.4:49729 -> 79.134.225.40:48154
        Source: Joe Sandbox ViewIP Address: 79.134.225.40 79.134.225.40
        Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
        Source: unknownDNS traffic detected: queries for: strongodss.ddns.net
        Source: nfiuc.pif.0.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
        Source: nfiuc.pif.0.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
        Source: nfiuc.pif.0.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
        Source: nfiuc.pif.0.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
        Source: nfiuc.pif.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
        Source: nfiuc.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
        Source: nfiuc.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
        Source: nfiuc.pif.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
        Source: nfiuc.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/0
        Source: nfiuc.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/03
        Source: nfiuc.pif.0.drString found in binary or memory: http://www.globalsign.net/repository09
        Source: RegSvcs.exe, 00000002.00000002.927044565.00000000060B0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.708271591.0000000004718000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677255613.000000000423F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677318458.0000000004272000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679566684.00000000041A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679501436.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.923227276.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710662958.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710938676.0000000004611000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707826555.00000000046AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710381105.000000000467A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679383356.000000000420A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.678729204.0000000004155000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.927044565.00000000060B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676679410.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707511293.000000000467A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.709101376.00000000039C8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677221211.000000000420A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677158257.000000000420A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676738123.0000000004155000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707372891.00000000046AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676806998.00000000041A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710427838.00000000046E2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707926521.00000000046E3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710514323.00000000046E2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676882345.0000000004121000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707412308.0000000004611000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.709214730.00000000039A5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707670444.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707301176.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710256620.00000000046AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.922381074.0000000000502000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679249376.0000000004121000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.924061373.0000000003909000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.708173598.00000000046E3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677081542.0000000004155000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.732316965.0000000003431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: nfiuc.pif PID: 984, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4876, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5660, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: nfiuc.pif PID: 1380, type: MEMORY
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.391560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.4679e70.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.391b041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.448560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.448b041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.44807ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.4679e70.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.448b041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.60b4629.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.4645668.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.41d4c00.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.d00000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.391b041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.39107ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46ae678.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.4.raw.unpack, type: UNPACKEDPE

        Operating System Destruction:

        barindex
        Protects its processes via BreakOnTermination flagShow sources
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: 01 00 00 00

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.708271591.0000000004718000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.708271591.0000000004718000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.677255613.000000000423F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.677255613.000000000423F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.677318458.0000000004272000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.677318458.0000000004272000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.679566684.00000000041A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.679566684.00000000041A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.679501436.00000000041D5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.679501436.00000000041D5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.710662958.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.710662958.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.710938676.0000000004611000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.710938676.0000000004611000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.707826555.00000000046AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.707826555.00000000046AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.710381105.000000000467A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.710381105.000000000467A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.679383356.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.679383356.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.678729204.0000000004155000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.678729204.0000000004155000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.927044565.00000000060B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.676679410.00000000041D5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.676679410.00000000041D5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.707511293.000000000467A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.707511293.000000000467A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.709101376.00000000039C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.709101376.00000000039C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.677221211.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.677221211.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.677158257.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.677158257.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.927012461.00000000060A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.676738123.0000000004155000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.676738123.0000000004155000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.707372891.00000000046AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.707372891.00000000046AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.676806998.00000000041A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.676806998.00000000041A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.710427838.00000000046E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.710427838.00000000046E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.707926521.00000000046E3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.707926521.00000000046E3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.710514323.00000000046E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.710514323.00000000046E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.676882345.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.676882345.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.707412308.0000000004611000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.707412308.0000000004611000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.709214730.00000000039A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.709214730.00000000039A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.707670444.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.707670444.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.707301176.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.707301176.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.926952371.0000000006010000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.710256620.00000000046AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.710256620.00000000046AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.922381074.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.922381074.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.679249376.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.679249376.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.924061373.0000000003909000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.708173598.00000000046E3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.708173598.00000000046E3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.677081542.0000000004155000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000003.677081542.0000000004155000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.732316965.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: nfiuc.pif PID: 984, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: nfiuc.pif PID: 984, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 4876, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 4876, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 5660, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 5660, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: nfiuc.pif PID: 1380, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: nfiuc.pif PID: 1380, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.3.nfiuc.pif.4272830.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.3.nfiuc.pif.4272830.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.RegSvcs.exe.391560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.RegSvcs.exe.391560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.3.nfiuc.pif.4679e70.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.4679e70.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.RegSvcs.exe.60a0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.RegSvcs.exe.391b041.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.3.nfiuc.pif.4272830.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.3.nfiuc.pif.4272830.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.3.nfiuc.pif.474baa0.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.474baa0.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.RegSvcs.exe.448560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.RegSvcs.exe.448560b.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.RegSvcs.exe.349e6b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.RegSvcs.exe.44807ce.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.RegSvcs.exe.448b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.474baa0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.474baa0.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.RegSvcs.exe.44807ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.RegSvcs.exe.44807ce.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.RegSvcs.exe.28f3490.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.46e2a90.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.46e2a90.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.3.nfiuc.pif.4272830.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.3.nfiuc.pif.4272830.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.RegSvcs.exe.3499650.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.474baa0.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.474baa0.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.3.nfiuc.pif.4272830.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.3.nfiuc.pif.4272830.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.3.nfiuc.pif.4679e70.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.4679e70.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.RegSvcs.exe.448b041.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.RegSvcs.exe.60b4629.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.4645668.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.4645668.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.3.nfiuc.pif.41d4c00.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.3.nfiuc.pif.41d4c00.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.RegSvcs.exe.6010000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.RegSvcs.exe.28f82f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.RegSvcs.exe.391b041.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.RegSvcs.exe.39107ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.RegSvcs.exe.39107ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.RegSvcs.exe.3499650.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.46ae678.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.46ae678.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.3.nfiuc.pif.46e2a90.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.46e2a90.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.3.nfiuc.pif.46e2a90.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.46e2a90.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.RegSvcs.exe.39107ce.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.474baa0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.474baa0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.3.nfiuc.pif.46e2a90.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.nfiuc.pif.46e2a90.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.RegSvcs.exe.28f3490.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01356FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_013583C0
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136626D
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01370113
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0137C0B0
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_013530FC
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_013633D3
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136F3CA
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0135E510
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0137C55E
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01370548
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0135F5C5
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01380654
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136364E
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_013666A2
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01352692
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0135E973
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136397F
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136589E
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136F8C6
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0135BAD1
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0135DADD
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01355D7E
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01373CBA
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136FCDE
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01366CDB
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0135DF12
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01353EAD
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01373EE9
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EE98F0
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EE35F0
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EFC8CE
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00F0088F
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EFA137
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EF1903
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EF3721
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00F01F2C
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EEF730
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_04F5E480
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_04F5E471
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_04F5BBD4
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_063703F0
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00EE98F0
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00EE35F0
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00EFC8CE
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00F0088F
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00EFA137
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00EF1903
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00F03BA1
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00F00DE0
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00EF3721
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00F01F2C
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00EEF730
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: String function: 00EF6B90 appears 65 times
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: String function: 00EF333F appears 36 times
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: String function: 00EF8115 appears 37 times
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: String function: 0136D870 appears 35 times
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: String function: 0136E2F0 appears 31 times
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: String function: 0136D940 appears 51 times
        Source: nfiuc.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: nfiuc.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: nfiuc.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: zunUbtZ2Y3.exe, 00000000.00000002.668361622.0000000003160000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs zunUbtZ2Y3.exe
        Source: zunUbtZ2Y3.exe, 00000000.00000002.668480248.0000000003250000.00000002.00000001.sdmpBinary or memory string: originalfilename vs zunUbtZ2Y3.exe
        Source: zunUbtZ2Y3.exe, 00000000.00000002.668480248.0000000003250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs zunUbtZ2Y3.exe
        Source: zunUbtZ2Y3.exe, 00000000.00000002.668614933.0000000004FB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs zunUbtZ2Y3.exe
        Source: zunUbtZ2Y3.exe, 00000000.00000002.667785434.0000000001340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs zunUbtZ2Y3.exe
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeSection loaded: dxgidebug.dll
        Source: zunUbtZ2Y3.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.708271591.0000000004718000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.708271591.0000000004718000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.677255613.000000000423F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.677255613.000000000423F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.677318458.0000000004272000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.677318458.0000000004272000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.679566684.00000000041A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.679566684.00000000041A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.679501436.00000000041D5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.679501436.00000000041D5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.710662958.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.710662958.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.710938676.0000000004611000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.710938676.0000000004611000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.707826555.00000000046AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.707826555.00000000046AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.710381105.000000000467A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.710381105.000000000467A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.679383356.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.679383356.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.678729204.0000000004155000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.678729204.0000000004155000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.927044565.00000000060B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.927044565.00000000060B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000003.676679410.00000000041D5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.676679410.00000000041D5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.707511293.000000000467A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.707511293.000000000467A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.709101376.00000000039C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.709101376.00000000039C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.677221211.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.677221211.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.677158257.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.677158257.000000000420A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.927012461.00000000060A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.927012461.00000000060A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000003.676738123.0000000004155000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.676738123.0000000004155000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.707372891.00000000046AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.707372891.00000000046AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.676806998.00000000041A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.676806998.00000000041A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.710427838.00000000046E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.710427838.00000000046E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.707926521.00000000046E3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.707926521.00000000046E3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.710514323.00000000046E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.710514323.00000000046E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.676882345.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.676882345.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.707412308.0000000004611000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.707412308.0000000004611000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.709214730.00000000039A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.709214730.00000000039A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.707670444.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.707670444.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.707301176.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.707301176.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.926952371.0000000006010000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.926952371.0000000006010000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000003.710256620.00000000046AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.710256620.00000000046AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.922381074.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.922381074.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.679249376.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.679249376.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.924061373.0000000003909000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.708173598.00000000046E3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.708173598.00000000046E3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.677081542.0000000004155000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000003.677081542.0000000004155000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.732316965.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: nfiuc.pif PID: 984, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: nfiuc.pif PID: 984, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 4876, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 4876, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 5660, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 5660, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: nfiuc.pif PID: 1380, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: nfiuc.pif PID: 1380, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.3.nfiuc.pif.4272830.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.3.nfiuc.pif.4272830.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.3.nfiuc.pif.4272830.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.RegSvcs.exe.391560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.391560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.RegSvcs.exe.391560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.3.nfiuc.pif.4679e70.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.nfiuc.pif.4679e70.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.4679e70.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.RegSvcs.exe.60a0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.60a0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.RegSvcs.exe.391b041.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.391b041.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.3.nfiuc.pif.4272830.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.3.nfiuc.pif.4272830.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.3.nfiuc.pif.4272830.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.3.nfiuc.pif.474baa0.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.nfiuc.pif.474baa0.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.474baa0.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.RegSvcs.exe.448560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegSvcs.exe.448560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.RegSvcs.exe.448560b.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.RegSvcs.exe.349e6b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegSvcs.exe.349e6b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.RegSvcs.exe.44807ce.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegSvcs.exe.44807ce.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.RegSvcs.exe.448b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegSvcs.exe.448b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.474baa0.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.nfiuc.pif.474baa0.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.474baa0.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.RegSvcs.exe.44807ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegSvcs.exe.44807ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.RegSvcs.exe.44807ce.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.RegSvcs.exe.28f3490.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.28f3490.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.46e2a90.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.nfiuc.pif.46e2a90.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.46e2a90.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.3.nfiuc.pif.4272830.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.3.nfiuc.pif.4272830.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.3.nfiuc.pif.4272830.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.RegSvcs.exe.3499650.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegSvcs.exe.3499650.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.474baa0.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.nfiuc.pif.474baa0.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.474baa0.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.3.nfiuc.pif.4272830.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.3.nfiuc.pif.4272830.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.3.nfiuc.pif.4272830.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.3.nfiuc.pif.4679e70.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.nfiuc.pif.4679e70.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.4679e70.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.RegSvcs.exe.448b041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegSvcs.exe.448b041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.RegSvcs.exe.60b4629.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.60b4629.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.4645668.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.nfiuc.pif.4645668.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.4645668.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.3.nfiuc.pif.41d4c00.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.3.nfiuc.pif.41d4c00.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.3.nfiuc.pif.41d4c00.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.RegSvcs.exe.6010000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.6010000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.RegSvcs.exe.28f82f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.391b041.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.391b041.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.RegSvcs.exe.39107ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.39107ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.RegSvcs.exe.39107ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.RegSvcs.exe.3499650.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.RegSvcs.exe.3499650.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.46ae678.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.nfiuc.pif.46ae678.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.46ae678.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.3.nfiuc.pif.46e2a90.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.nfiuc.pif.46e2a90.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.46e2a90.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.3.nfiuc.pif.46e2a90.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.nfiuc.pif.46e2a90.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.46e2a90.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.RegSvcs.exe.39107ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.39107ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.474baa0.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.nfiuc.pif.474baa0.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.474baa0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.3.nfiuc.pif.46e2a90.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.nfiuc.pif.46e2a90.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.nfiuc.pif.46e2a90.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.RegSvcs.exe.28f3490.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegSvcs.exe.500000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 2.2.RegSvcs.exe.500000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.2.RegSvcs.exe.500000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 2.2.RegSvcs.exe.500000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 2.2.RegSvcs.exe.500000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@21/35@11/2
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01356D06 GetLastError,FormatMessageW,
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00F13EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeFile created: C:\Users\user\AppData\Roaming\22032878Jump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_01
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{8080abe9-dca0-4fda-b289-40c56bb7d446}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2864:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_01
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifFile created: C:\Users\user\temp\lqjmggks.icoJump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\22032878\Update.vbs'
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCommand line argument: sfxname
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCommand line argument: sfxstime
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCommand line argument: STARTDLG
        Source: zunUbtZ2Y3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeFile read: C:\Windows\win.iniJump to behavior
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: zunUbtZ2Y3.exeVirustotal: Detection: 42%
        Source: zunUbtZ2Y3.exeReversingLabs: Detection: 54%
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeFile read: C:\Users\user\Desktop\zunUbtZ2Y3.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\zunUbtZ2Y3.exe 'C:\Users\user\Desktop\zunUbtZ2Y3.exe'
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeProcess created: C:\Users\user\AppData\Roaming\22032878\nfiuc.pif 'C:\Users\user\AppData\Roaming\22032878\nfiuc.pif' xaso.fhr
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E2B.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4272.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\22032878\nfiuc.pif 'C:\Users\user\AppData\Roaming\22032878\nfiuc.pif' C:\Users\user\AppData\Roaming\22032878\xaso.fhr
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\22032878\Update.vbs'
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeProcess created: C:\Users\user\AppData\Roaming\22032878\nfiuc.pif 'C:\Users\user\AppData\Roaming\22032878\nfiuc.pif' xaso.fhr
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E2B.tmp'
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4272.tmp'
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: zunUbtZ2Y3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: zunUbtZ2Y3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: zunUbtZ2Y3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: zunUbtZ2Y3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: zunUbtZ2Y3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: zunUbtZ2Y3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: zunUbtZ2Y3.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: zunUbtZ2Y3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: zunUbtZ2Y3.exe
        Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000000.677858519.0000000000072000.00000002.00020000.sdmp, RegSvcs.exe, 00000007.00000002.694635548.0000000000FF2000.00000002.00020000.sdmp, dhcpmon.exe, 00000009.00000002.697960296.0000000000062000.00000002.00020000.sdmp, RegSvcs.exe, 0000000C.00000000.708928174.00000000008E2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.733978746.0000000000942000.00000002.00020000.sdmp, dhcpmon.exe.2.dr
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000002.00000002.923227276.00000000028C1000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmp
        Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: RegSvcs.exe, 00000007.00000002.695470154.0000000005920000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.699203084.00000000022D0000.00000002.00000001.sdmp
        Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, dhcpmon.exe, RegSvcs.exe, 0000000C.00000000.708928174.00000000008E2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.733978746.0000000000942000.00000002.00020000.sdmp, dhcpmon.exe.2.dr
        Source: zunUbtZ2Y3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: zunUbtZ2Y3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: zunUbtZ2Y3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: zunUbtZ2Y3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: zunUbtZ2Y3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 2.2.RegSvcs.exe.500000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.2.RegSvcs.exe.500000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EEEE30 LoadLibraryA,GetProcAddress,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeFile created: C:\Users\user\AppData\Roaming\22032878\__tmp_rar_sfx_access_check_5048640Jump to behavior
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136E336 push ecx; ret
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136D870 push eax; ret
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EF6BD5 push ecx; ret
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00EF6BD5 push ecx; ret
        Source: 2.2.RegSvcs.exe.500000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 2.2.RegSvcs.exe.500000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.2.RegSvcs.exe.d00000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

        Persistence and Installation Behavior:

        barindex
        Drops PE files with a suspicious file extensionShow sources
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeFile created: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifJump to dropped file
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeFile created: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifJump to dropped file
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E2B.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM autoit scriptShow sources
        Source: Yara matchFile source: Process Memory Space: nfiuc.pif PID: 984, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: nfiuc.pif PID: 1380, type: MEMORY
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 5177
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 4339
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: foregroundWindowGot 773
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pif TID: 3684Thread sleep count: 69 > 30
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pif TID: 3684Thread sleep count: 124 > 30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5620Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pif TID: 5048Thread sleep count: 71 > 30
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pif TID: 5048Thread sleep count: 107 > 30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5880Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0135A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01379FD3 FindFirstFileExA,
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00F1399B GetFileAttributesW,FindFirstFileW,FindClose,
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00F1399B GetFileAttributesW,FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136D353 VirtualQuery,GetSystemInfo,
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: nfiuc.pif, 00000001.00000003.684885718.0000000003373000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exey
        Source: nfiuc.pif, 00000001.00000003.684148399.0000000003356000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenNf3
        Source: nfiuc.pif, 00000001.00000003.671342087.0000000003341000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
        Source: nfiuc.pif, 00000001.00000003.684148399.0000000003356000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") Then
        Source: RegSvcs.exe, 00000002.00000002.927344213.0000000006980000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.695550229.00000000059F0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.700600962.0000000004920000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: nfiuc.pif, 0000000B.00000003.717402511.000000000392B000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe65687
        Source: nfiuc.pif, 00000001.00000003.684987254.000000000337B000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe5FB536C7
        Source: nfiuc.pif, 00000001.00000003.684885718.0000000003373000.00000004.00000001.sdmpBinary or memory string: VboxService.exez
        Source: xaso.fhr.0.drBinary or memory string: If ProcessExists("VMwaretray.exe") Then
        Source: xaso.fhr.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
        Source: nfiuc.pif, 0000000B.00000003.715395367.0000000003905000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
        Source: nfiuc.pif, 0000000B.00000003.716580756.0000000003920000.00000004.00000001.sdmpBinary or memory string: VboxService.exel
        Source: RegSvcs.exe, 00000002.00000002.927344213.0000000006980000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.695550229.00000000059F0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.700600962.0000000004920000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: nfiuc.pif, 0000000B.00000003.715395367.0000000003905000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then1Y
        Source: xaso.fhr.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
        Source: nfiuc.pif, 00000001.00000003.684987254.000000000337B000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe444D6
        Source: RegSvcs.exe, 00000002.00000002.922838345.0000000000E9A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: nfiuc.pif, 00000001.00000003.684732890.0000000003357000.00000004.00000001.sdmpBinary or memory string: And ProcessExists("VMwareService.exe") ThenNf3
        Source: nfiuc.pif, 0000000B.00000003.716580756.0000000003920000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe
        Source: nfiuc.pif, 0000000B.00000003.715395367.0000000003905000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") ThenYqO
        Source: nfiuc.pif, 0000000B.00000003.715395367.0000000003905000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then5g
        Source: nfiuc.pif, 0000000B.00000003.715395367.0000000003905000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
        Source: nfiuc.pif, 00000001.00000003.671342087.0000000003341000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenL4R
        Source: xaso.fhr.0.drBinary or memory string: If ProcessExists("VboxService.exe") Then
        Source: nfiuc.pif, 00000001.00000003.684987254.000000000337B000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exek
        Source: nfiuc.pif, 00000001.00000003.671342087.0000000003341000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenNf3@
        Source: nfiuc.pif, 0000000B.00000003.717402511.000000000392B000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exeE97637D6
        Source: RegSvcs.exe, 00000002.00000002.927344213.0000000006980000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.695550229.00000000059F0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.700600962.0000000004920000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: nfiuc.pif, 00000001.00000003.684148399.0000000003356000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenL4
        Source: nfiuc.pif, 00000001.00000003.684148399.0000000003356000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
        Source: xaso.fhr.0.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
        Source: RegSvcs.exe, 00000002.00000002.927344213.0000000006980000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.695550229.00000000059F0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.700600962.0000000004920000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: nfiuc.pif, 0000000B.00000003.717402511.000000000392B000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe^
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EFD935 __malloc_crt,__lseeki64_nolock,ReadFile,ReadFile,GetLastError,__lseeki64_nolock,__lseeki64_nolock,MultiByteToWideChar,GetLastError,__dosmaperr,_free,LdrInitializeThunk,ReadFile,GetLastError,__lseeki64_nolock,GetLastError,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EEEE30 LoadLibraryA,GetProcAddress,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01376AF3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0137ACA1 GetProcessHeap,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136E643 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_01377BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EFA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EF7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00EFA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 11_2_00EF7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 500000 protect: page execute and read and write
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: D00000 protect: page execute and read and write
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 500000 value starts with: 4D5A
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: D00000 value starts with: 4D5A
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 500000
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 21C000
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: D00000
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: B0C000
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EED7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeProcess created: C:\Users\user\AppData\Roaming\22032878\nfiuc.pif 'C:\Users\user\AppData\Roaming\22032878\nfiuc.pif' xaso.fhr
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E2B.tmp'
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4272.tmp'
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: RegSvcs.exe, 00000002.00000002.923408750.00000000029C7000.00000004.00000001.sdmpBinary or memory string: Program Manager(
        Source: nfiuc.pif, 00000001.00000003.684885718.0000000003373000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.923227276.00000000028C1000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: nfiuc.pif.0.drBinary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
        Source: RegSvcs.exe, 00000002.00000002.922956588.0000000001290000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: RegSvcs.exe, 00000002.00000002.922956588.0000000001290000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: nfiuc.pif, 00000001.00000003.684148399.0000000003356000.00000004.00000001.sdmp, nfiuc.pif, 0000000B.00000003.715395367.0000000003905000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
        Source: RegSvcs.exe, 00000002.00000002.926928366.000000000600C000.00000004.00000001.sdmpBinary or memory string: Program Managerp
        Source: RegSvcs.exe, 00000002.00000002.923408750.00000000029C7000.00000004.00000001.sdmpBinary or memory string: Program ManagerD2
        Source: nfiuc.pif, 00000001.00000003.671342087.0000000003341000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" ThenM
        Source: xaso.fhr.0.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
        Source: RegSvcs.exe, 00000002.00000002.922956588.0000000001290000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: RegSvcs.exe, 00000002.00000002.923408750.00000000029C7000.00000004.00000001.sdmpBinary or memory string: Program ManagerHaak(
        Source: RegSvcs.exe, 00000002.00000002.923408750.00000000029C7000.00000004.00000001.sdmpBinary or memory string: Program ManagerT
        Source: nfiuc.pif, 0000000B.00000003.716580756.0000000003920000.00000004.00000001.sdmpBinary or memory string: Program Managerq
        Source: nfiuc.pif, 00000001.00000000.667167834.0000000000F62000.00000002.00020000.sdmp, nfiuc.pif, 0000000B.00000000.697312024.0000000000F62000.00000002.00020000.sdmpBinary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
        Source: RegSvcs.exe, 00000002.00000002.927133975.000000000620C000.00000004.00000001.sdmpBinary or memory string: lProgram Manager
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136E34B cpuid
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: GetLocaleInfoW,GetNumberFormatW,
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0136CBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifCode function: 1_2_00EFE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
        Source: C:\Users\user\Desktop\zunUbtZ2Y3.exeCode function: 0_2_0135A995 GetVersionExW,
        Source: C:\Users\user\AppData\Roaming\22032878\nfiuc.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.708271591.0000000004718000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677255613.000000000423F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677318458.0000000004272000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679566684.00000000041A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679501436.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.923227276.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710662958.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710938676.0000000004611000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707826555.00000000046AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710381105.000000000467A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679383356.000000000420A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.678729204.0000000004155000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.927044565.00000000060B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676679410.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707511293.000000000467A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.709101376.00000000039C8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677221211.000000000420A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677158257.000000000420A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676738123.0000000004155000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707372891.00000000046AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676806998.00000000041A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710427838.00000000046E2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707926521.00000000046E3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710514323.00000000046E2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676882345.0000000004121000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707412308.0000000004611000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.709214730.00000000039A5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707670444.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707301176.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710256620.00000000046AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.922381074.0000000000502000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679249376.0000000004121000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.924061373.0000000003909000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.708173598.00000000046E3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677081542.0000000004155000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.732316965.0000000003431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: nfiuc.pif PID: 984, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4876, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5660, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: nfiuc.pif PID: 1380, type: MEMORY
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.391560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.4679e70.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.391b041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.448560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.448b041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.44807ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.4679e70.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.448b041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.60b4629.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.4645668.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.41d4c00.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.d00000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.391b041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.39107ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46ae678.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.4.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: nfiuc.pif, 00000001.00000003.677318458.0000000004272000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000002.00000002.923227276.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000002.00000002.923227276.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegSvcs.exe, 00000002.00000002.923227276.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: nfiuc.pif, 0000000B.00000003.708271591.0000000004718000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegSvcs.exe, 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.708271591.0000000004718000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677255613.000000000423F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677318458.0000000004272000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679566684.00000000041A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679501436.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.923227276.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710662958.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710938676.0000000004611000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707826555.00000000046AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710381105.000000000467A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679383356.000000000420A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.678729204.0000000004155000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.927044565.00000000060B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676679410.00000000041D5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707511293.000000000467A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.709101376.00000000039C8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677221211.000000000420A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677158257.000000000420A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676738123.0000000004155000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707372891.00000000046AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676806998.00000000041A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710427838.00000000046E2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707926521.00000000046E3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710514323.00000000046E2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.676882345.0000000004121000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707412308.0000000004611000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.709214730.00000000039A5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707670444.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.707301176.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.710256620.00000000046AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.922381074.0000000000502000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.679249376.0000000004121000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.924061373.0000000003909000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.708173598.00000000046E3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000003.677081542.0000000004155000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.732316965.0000000003431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: nfiuc.pif PID: 984, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4876, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5660, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: nfiuc.pif PID: 1380, type: MEMORY
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.391560b.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.4679e70.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.391b041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.448560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.448b041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.44807ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.4272830.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.4679e70.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.448b041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.60b4629.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.4645668.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.500000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.3.nfiuc.pif.41d4c00.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.RegSvcs.exe.d00000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.391b041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegSvcs.exe.39107ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46ae678.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.474baa0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.nfiuc.pif.46e2a90.4.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScripting11DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools1Input Capture11System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsNative API1Scheduled Task/Job1DLL Side-Loading1Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsCommand and Scripting Interpreter2Logon Script (Windows)Process Injection312Scripting11Security Account ManagerSystem Information Discovery35SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsScheduled Task/Job1Logon Script (Mac)Scheduled Task/Job1Obfuscated Files or Information2NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing12LSA SecretsSecurity Software Discovery131SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading12DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion31Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection312/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384233 Sample: zunUbtZ2Y3.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 59 strongodss.ddns.net 2->59 67 Multi AV Scanner detection for domain / URL 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 9 other signatures 2->73 10 zunUbtZ2Y3.exe 28 2->10         started        14 nfiuc.pif 2->14         started        16 RegSvcs.exe 2 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 53 C:\Users\user\AppData\Roaming\...\nfiuc.pif, PE32 10->53 dropped 83 Drops PE files with a suspicious file extension 10->83 20 nfiuc.pif 2 4 10->20         started        85 Writes to foreign memory regions 14->85 87 Allocates memory in foreign processes 14->87 89 Injects a PE file into a foreign processes 14->89 24 RegSvcs.exe 2 14->24         started        26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        signatures6 process7 file8 51 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 20->51 dropped 75 Multi AV Scanner detection for dropped file 20->75 77 Writes to foreign memory regions 20->77 79 Allocates memory in foreign processes 20->79 81 Injects a PE file into a foreign processes 20->81 32 RegSvcs.exe 1 11 20->32         started        signatures9 process10 dnsIp11 55 strongodss.ddns.net 79.134.225.40, 48154, 49729, 49730 FINK-TELECOM-SERVICESCH Switzerland 32->55 57 192.168.2.1 unknown unknown 32->57 45 C:\Users\user\AppData\Roaming\...\run.dat, data 32->45 dropped 47 C:\Users\user\AppData\Local\...\tmp3E2B.tmp, XML 32->47 dropped 49 C:\Program Files (x86)\...\dhcpmon.exe, PE32 32->49 dropped 61 Protects its processes via BreakOnTermination flag 32->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 32->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->65 37 schtasks.exe 1 32->37         started        39 schtasks.exe 1 32->39         started        file12 signatures13 process14 process15 41 conhost.exe 37->41         started        43 conhost.exe 39->43         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        zunUbtZ2Y3.exe43%VirustotalBrowse
        zunUbtZ2Y3.exe54%ReversingLabsWin32.Backdoor.NanoCore

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%ReversingLabs
        C:\Users\user\AppData\Roaming\22032878\nfiuc.pif19%MetadefenderBrowse
        C:\Users\user\AppData\Roaming\22032878\nfiuc.pif45%ReversingLabsWin32.Trojan.Generic

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        2.2.RegSvcs.exe.60b0000.11.unpack100%AviraTR/NanoCore.fadteDownload File
        2.2.RegSvcs.exe.500000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.2.RegSvcs.exe.d00000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        strongodss.ddns.net8%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://secure.globalsign.net/cacert/PrimObject.crt00%VirustotalBrowse
        http://secure.globalsign.net/cacert/PrimObject.crt00%Avira URL Cloudsafe
        http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
        http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
        http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
        http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
        http://www.globalsign.net/repository090%VirustotalBrowse
        http://www.globalsign.net/repository090%Avira URL Cloudsafe
        79.134.225.400%Avira URL Cloudsafe
        http://www.globalsign.net/repository/00%URL Reputationsafe
        http://www.globalsign.net/repository/00%URL Reputationsafe
        http://www.globalsign.net/repository/00%URL Reputationsafe
        strongodss.ddns.net0%Avira URL Cloudsafe
        http://www.globalsign.net/repository/030%URL Reputationsafe
        http://www.globalsign.net/repository/030%URL Reputationsafe
        http://www.globalsign.net/repository/030%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        strongodss.ddns.net
        		79.134.225.40
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        79.134.225.40true
        • Avira URL Cloud: safe
        		unknown
        strongodss.ddns.nettrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://secure.globalsign.net/cacert/PrimObject.crt0nfiuc.pif.0.drfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://secure.globalsign.net/cacert/ObjectSign.crt09nfiuc.pif.0.drfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.globalsign.net/repository09nfiuc.pif.0.drfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.autoitscript.com/autoit3/0nfiuc.pif.0.drfalse
          		high
          http://www.globalsign.net/repository/0nfiuc.pif.0.drfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.globalsign.net/repository/03nfiuc.pif.0.drfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          79.134.225.40
          		strongodss.ddns.netSwitzerland
          		6775FINK-TELECOM-SERVICESCHtrue

          Private

          IP
          192.168.2.1

          General Information

          Joe Sandbox Version:31.0.0 Emerald
          Analysis ID:384233
          Start date:08.04.2021
          Start time:19:05:11
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 14m 24s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:zunUbtZ2Y3.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:16
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@21/35@11/2
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 35.9% (good quality ratio 33.6%)
          • Quality average: 78.7%
          • Quality standard deviation: 29%
          HCA Information:
          • Successful, ratio: 52%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • TCP Packets have been reduced to 100
          • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 104.43.139.144, 52.147.198.201, 52.255.188.83, 8.238.28.126, 8.238.35.126, 8.238.29.126, 8.241.83.126, 8.238.36.254
          • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net, skypedataprdcolcus15.cloudapp.net
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          19:06:13AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Roaming\22032878\nfiuc.pif C:\Users\user\AppData\Roaming\22032878\xaso.fhr
          19:06:19Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
          19:06:19API Interceptor922x Sleep call for process: RegSvcs.exe modified
          19:06:21Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
          19:06:22AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Roaming\22032878\Update.vbs
          19:06:30AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          79.134.225.40cJtVGjtNGZ.exeGet hashmaliciousBrowse
            3aDHivUqWtumbXb.exeGet hashmaliciousBrowse
              fMy120EQiT6NaRd.exeGet hashmaliciousBrowse
                SecuriteInfo.com.Variant.Bulz.394792.29952.exeGet hashmaliciousBrowse
                  SecuriteInfo.com.Trojan.PackedNET.578.18498.exeGet hashmaliciousBrowse
                    SecuriteInfo.com.Trojan.DownLoader36.32796.17922.exeGet hashmaliciousBrowse
                      HOqJcenF6O.exeGet hashmaliciousBrowse
                        0I2ddZZKv7.exeGet hashmaliciousBrowse
                          Q2BZ01fmwK.exeGet hashmaliciousBrowse
                            eO769dBnEg.exeGet hashmaliciousBrowse
                              compiled_report_2020_xls.exeGet hashmaliciousBrowse
                                all_reports_compiled_xls_2020_contact_details.exeGet hashmaliciousBrowse
                                  9dAVqCPNyn.exeGet hashmaliciousBrowse
                                    M5NwREJ2Yc.exeGet hashmaliciousBrowse
                                      lyrvDJCi1i.exeGet hashmaliciousBrowse
                                        FUyv1AeebX.exeGet hashmaliciousBrowse
                                          SecuriteInfo.com.Trojan.Inject4.6124.10543.exeGet hashmaliciousBrowse
                                            U0GqWnTbUO.exeGet hashmaliciousBrowse
                                              Clqf4jiA3N.exeGet hashmaliciousBrowse
                                                dUWLmGj0PC.exeGet hashmaliciousBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  strongodss.ddns.netcJtVGjtNGZ.exeGet hashmaliciousBrowse
                                                  • 79.134.225.40
                                                  3aDHivUqWtumbXb.exeGet hashmaliciousBrowse
                                                  • 105.112.99.199
                                                  fMy120EQiT6NaRd.exeGet hashmaliciousBrowse
                                                  • 79.134.225.40
                                                  SecuriteInfo.com.Variant.Bulz.394792.29952.exeGet hashmaliciousBrowse
                                                  • 105.112.98.171
                                                  SecuriteInfo.com.Trojan.PackedNET.578.18498.exeGet hashmaliciousBrowse
                                                  • 105.112.98.171
                                                  nq0aCrCXyE.exeGet hashmaliciousBrowse
                                                  • 87.237.165.78
                                                  73SriHObnQ.exeGet hashmaliciousBrowse
                                                  • 87.237.165.78
                                                  rb86llCYzA.exeGet hashmaliciousBrowse
                                                  • 87.237.165.78
                                                  uB8OTxUd3O.exeGet hashmaliciousBrowse
                                                  • 87.237.165.78
                                                  NNb2NBgsob.exeGet hashmaliciousBrowse
                                                  • 87.237.165.78
                                                  cp573oYDUX.exeGet hashmaliciousBrowse
                                                  • 87.237.165.78
                                                  Y5XyMnx8Ng.exeGet hashmaliciousBrowse
                                                  • 87.237.165.78
                                                  YoWPu2BQzA9FeDd.exeGet hashmaliciousBrowse
                                                  • 87.237.165.78
                                                  M5QDAaK9yM.exeGet hashmaliciousBrowse
                                                  • 87.237.165.78
                                                  TdX45jQWjj.exeGet hashmaliciousBrowse
                                                  • 87.237.165.78

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  FINK-TELECOM-SERVICESCHEASTERS.exeGet hashmaliciousBrowse
                                                  • 79.134.225.118
                                                  LIST OF POEA DELISTED AGENCIES.pdf.exeGet hashmaliciousBrowse
                                                  • 79.134.225.9
                                                  AWB.pdf.exeGet hashmaliciousBrowse
                                                  • 79.134.225.102
                                                  AIC7VMxudf.exeGet hashmaliciousBrowse
                                                  • 79.134.225.30
                                                  9mm case for ROYAL METAL INDUSTRIES 3milmonth Specification drawings.exeGet hashmaliciousBrowse
                                                  • 79.134.225.21
                                                  PO50164.exeGet hashmaliciousBrowse
                                                  • 79.134.225.79
                                                  Fast color scan to a PDFfile_1_20210331084231346.pdf.exeGet hashmaliciousBrowse
                                                  • 79.134.225.102
                                                  n7dIHuG3v6.exeGet hashmaliciousBrowse
                                                  • 79.134.225.92
                                                  F6JT4fXIAQ.exeGet hashmaliciousBrowse
                                                  • 79.134.225.92
                                                  order_inquiry2094.xls.exeGet hashmaliciousBrowse
                                                  • 79.134.225.102
                                                  5H957qLghX.exeGet hashmaliciousBrowse
                                                  • 79.134.225.25
                                                  yBio5dWAOl.exeGet hashmaliciousBrowse
                                                  • 79.134.225.7
                                                  wDIaJji4Vv.exeGet hashmaliciousBrowse
                                                  • 79.134.225.7
                                                  DkZY1k3y9F.exeGet hashmaliciousBrowse
                                                  • 79.134.225.23
                                                  hbvo9thTAX.exeGet hashmaliciousBrowse
                                                  • 79.134.225.7
                                                  SCAN ORDER DOC 040202021.exeGet hashmaliciousBrowse
                                                  • 79.134.225.71
                                                  Waybill Doc_pdf.exeGet hashmaliciousBrowse
                                                  • 79.134.225.92
                                                  gfcYixSdyD.exeGet hashmaliciousBrowse
                                                  • 79.134.225.71
                                                  cJtVGjtNGZ.exeGet hashmaliciousBrowse
                                                  • 79.134.225.40
                                                  Transferwise beneficiary detailspdf.exeGet hashmaliciousBrowse
                                                  • 79.134.225.22

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exebank transfer.exeGet hashmaliciousBrowse
                                                    nunu.exeGet hashmaliciousBrowse
                                                      quotation.exeGet hashmaliciousBrowse
                                                        GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                                          UPDATED SOA.exeGet hashmaliciousBrowse
                                                            comprobante de pago bancario.exeGet hashmaliciousBrowse
                                                              ANS_309487487_#049844874.exeGet hashmaliciousBrowse
                                                                Dekont_12VK2102526 VAKIF KATILIM.exeGet hashmaliciousBrowse
                                                                  taiwan.exeGet hashmaliciousBrowse
                                                                    SWIFT COPY.exeGet hashmaliciousBrowse
                                                                      GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                                                        purchase order.exeGet hashmaliciousBrowse
                                                                          Payment Advice.exeGet hashmaliciousBrowse
                                                                            Quotation.pdf...exeGet hashmaliciousBrowse
                                                                              PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                money.exeGet hashmaliciousBrowse
                                                                                  TT COPY.exeGet hashmaliciousBrowse
                                                                                    $$$.exeGet hashmaliciousBrowse
                                                                                      ORDER.exeGet hashmaliciousBrowse
                                                                                        PO-0561.exeGet hashmaliciousBrowse

                                                                                          Created / dropped Files

                                                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):45152
                                                                                          Entropy (8bit):6.149629800481177
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                          MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                          SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                          SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                          SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: bank transfer.exe, Detection: malicious, Browse
                                                                                          • Filename: nunu.exe, Detection: malicious, Browse
                                                                                          • Filename: quotation.exe, Detection: malicious, Browse
                                                                                          • Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse
                                                                                          • Filename: UPDATED SOA.exe, Detection: malicious, Browse
                                                                                          • Filename: comprobante de pago bancario.exe, Detection: malicious, Browse
                                                                                          • Filename: ANS_309487487_#049844874.exe, Detection: malicious, Browse
                                                                                          • Filename: Dekont_12VK2102526 VAKIF KATILIM.exe, Detection: malicious, Browse
                                                                                          • Filename: taiwan.exe, Detection: malicious, Browse
                                                                                          • Filename: SWIFT COPY.exe, Detection: malicious, Browse
                                                                                          • Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse
                                                                                          • Filename: purchase order.exe, Detection: malicious, Browse
                                                                                          • Filename: Payment Advice.exe, Detection: malicious, Browse
                                                                                          • Filename: Quotation.pdf...exe, Detection: malicious, Browse
                                                                                          • Filename: PURCHASE ORDER.exe, Detection: malicious, Browse
                                                                                          • Filename: money.exe, Detection: malicious, Browse
                                                                                          • Filename: TT COPY.exe, Detection: malicious, Browse
                                                                                          • Filename: $$$.exe, Detection: malicious, Browse
                                                                                          • Filename: ORDER.exe, Detection: malicious, Browse
                                                                                          • Filename: PO-0561.exe, Detection: malicious, Browse
                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
                                                                                          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):142
                                                                                          Entropy (8bit):5.090621108356562
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                          MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                          SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                          SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                          SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                          Malicious:false
                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):142
                                                                                          Entropy (8bit):5.090621108356562
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                          MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                          SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                          SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                          SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                          Malicious:false
                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                          C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          Process:C:\Users\user\AppData\Roaming\22032878\nfiuc.pif
                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):45152
                                                                                          Entropy (8bit):6.149629800481177
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                          MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                          SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                          SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                          SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                          C:\Users\user\AppData\Local\Temp\tmp3E2B.tmp
                                                                                          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1308
                                                                                          Entropy (8bit):5.103583470672722
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yfkxtn:cbk4oL600QydbQxIYODOLedq3jkj
                                                                                          MD5:990B7A403BC76992021F9FA8008904F2
                                                                                          SHA1:42911051D889BC22633FB4EC99794202975260A8
                                                                                          SHA-256:2C4DC85A9C8127D7F864AB718245EBC0C5B625C04837AC84E012429E956936EE
                                                                                          SHA-512:C5FF697E356C84B83D18952A5EDA27E225E649B89F8E43BEE565C6DFC87B12D15D8AD0698C03D6915786120042DABFBCB11493E233B8B3B2742EE8C0C5E4A09C
                                                                                          Malicious:true
                                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                          C:\Users\user\AppData\Local\Temp\tmp4272.tmp
                                                                                          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1310
                                                                                          Entropy (8bit):5.109425792877704
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                                          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                                          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                                          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                                          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                                          Malicious:false
                                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                          C:\Users\user\AppData\Roaming\22032878\Update.vbs
                                                                                          Process:C:\Users\user\AppData\Roaming\22032878\nfiuc.pif
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):134
                                                                                          Entropy (8bit):4.980914870423424
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:FER/n0eFH5Ot+kiEaKC5pPex1t+kiEaKC5pZEZxHn:FER/lFHIwknaZ5hevwknaZ53EPHn
                                                                                          MD5:C81CE4477142FA6E216A1742FF5D153D
                                                                                          SHA1:95F3BE4488F26D0BED40A1447847C6BBFDB4EA63
                                                                                          SHA-256:CBB4B78FA8848000511B01CCDD1EC3AEF39F9552856B859ABC94AFA384302A8E
                                                                                          SHA-512:65C567656834FC42F0D3BEC85B062C5E46E56AB1108EBED54486D0E9C90E3EA6F88D178C923C2EBEB25ED97DB6DAD07010C79001CF10B8275E9E41D5C65D8E45
                                                                                          Malicious:false
                                                                                          Preview: CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Roaming\22032878\nfiuc.pif C:\Users\user\AppData\Roaming\22032878\xaso.fhr"
                                                                                          C:\Users\user\AppData\Roaming\22032878\btdbvndt.bmp
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):559
                                                                                          Entropy (8bit):5.590049640287996
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:M6UJPoPptZaSIVFJXXX3jlwlC30ADU+Tv/TSbgJPD:M6UJPSptwSwnXyrB+zTT5
                                                                                          MD5:BAEC341B881A94D65AC13E41DD97957F
                                                                                          SHA1:BD5DB45977FA111B4E1631081FDD091F9B06D30B
                                                                                          SHA-256:31EC8CE62360246F905DB095A8BF7529DC149133B6F67CE1CEC6CD70BFCAB8D5
                                                                                          SHA-512:425ED5648F5DA202C6C3646F4359165EFA5151150AA87D3BC6E276B19CE18F7EBF5A9296E4A8341DFFF5A055A9E50E19A24ABB422B5B23C8EE044FD7B148590D
                                                                                          Malicious:false
                                                                                          Preview: BFI31154Y8Exd190438M3BD7g0r2R70eM2D60LmtIxt3PhG48591..Ui2zv4r6Fsee9d8uqZpQlqT8DF4lFw38n2OAybT5qF35254g55TjE6..xd26f1qZJPJf7Ie2I3w255WqNbhHWY4HUqX775k94zl719Je04UfwN..ugo2804m8RU953Vz6Ji9Q6fu3VPxkx494SbBx3H1Au857OSsx4avd11ngE6N890eOdO6iWwO337lF2z0c0sxCFcB92tvCO382ZTBR393tJEDb9fb6C51qA087M78z6QY9qk..0XRr9VL7x9huc602dab0w2u4vr3KjlDRP0QK237B3H3ph87i27DL83O9537lmj9s..d939hI0fQnVPOP9U743323i2QY27B8u1c340p8v2UWRiKHb49c213aze951b90gpR3678pyeSr6v9P5X36766O..vMNi519gS381U5032zoY16b1472b3y11U0G32nM34Gjxy4zV474d3VyNQ66Bc464Ki6AU39R36683221998093SfgmPp7608793t187V..
                                                                                          C:\Users\user\AppData\Roaming\22032878\dnxuddwt.ppt
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):522
                                                                                          Entropy (8bit):5.405974627564001
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:LLTIGOWK2eKGIHAb4pN/QfCT1G49RMqpcDiO0:EjWKvKfHAgNY6T1nFpcGO0
                                                                                          MD5:AD0538F8F9BEB5F33E161A05B15C877D
                                                                                          SHA1:1881300024085A1930A6B2B5D824A2C19E6414B2
                                                                                          SHA-256:3FC4C9B80B7A6FE0D976EC37A05494803E2BA8F031C6D519B01560E664D366A3
                                                                                          SHA-512:FCF4C424073D1CC80AE26784D4B6133ADE3A294504B00B9A595D7672EF4C4628128F9A884F2FE1C36705370ED00DDC93F0D2A9253CE669551816AC572008F0F7
                                                                                          Malicious:false
                                                                                          Preview: 6xAJOA6D4434LDiE2R0BR3C87227265ZdKsRoWg2Df01m492c2jAO68Yk19407C03F79mb3X1M24eVZI84J18K0PO648C99b06X5xU461T484b1v6JD0260fH35f2lACOyQECV3..2T6p60i3r1oW01rDb351C5c39N2lB769Z8g03VW0..PEXTY5911wer4fl2s4550tX101Y7r36G7h8Ou6D6002n5F83B11g477Wi8rI5jwB03138C6v2c6Ig2006N1I2mxfk1Q2B79wsi0bR9l7W8L8S074XOde8xdhi0743M8na93c11F8924..Fi9Js73U49aw17H11080O5v1xR1Oa01ch79404l93K48314..15Qq3Cm362933653Lyq653A514D05bsb936E3G3h865kZxpqp727B4M896106ozhKwkb5gDl8LB47SOTA0l8875b2RZ43WK773Yk3161B2d828ut73WCRv1b12p6466326ikCJ6u8i1X8y58HKfkfKS..
                                                                                          C:\Users\user\AppData\Roaming\22032878\eseh.pdf
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):572
                                                                                          Entropy (8bit):5.456380250671965
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:e2/NvUgY4/WBDY8CIc++k3pxOQKq6dsXmBhuVsb:e2/NHYE2FCvFk+PfdZ
                                                                                          MD5:33E70D61804B626A7EDDCEE87A50DA87
                                                                                          SHA1:198945C6DB88B833EED534835F6BC025E6A71DA7
                                                                                          SHA-256:5DBF289E2085BE6771F0F280E2BCACF93854DDE58D19CA96C3718211EE6E8448
                                                                                          SHA-512:0F87F2A271BDD1916C302E4F37C11AF7E5916B203F825D1896097C4B63547C2D01A42CA7B762FFD219CAA979F312CF74B71C22BC2ED0AADDEEB1BF163991E48F
                                                                                          Malicious:false
                                                                                          Preview: 7d63I6Kx6MWfF2R6363p5n12Qw17W7292j44c8Q780uaFPoH8755GKJ7B778146Q6q617c7VIZ87YSE43f1NJ2M4FDkF6086430QYyZk433530EdYQ6s3Na1v4R09U90VK99j8774Z758..o51VdSPs112l17t33a1R87WgM6fvhZC80Q2FtAKZXJx891290I7..n37q5Ttm1R5xiQGRUNfF67052E8DX7z696049p77Q05pPY0sVZiR93ycPb639X5n1oS4..Kzw757vR99ipV392yUhCe8ax6T5UaS05xSq3bd3572C1H077g35hLq45xB0s4IL5RFs71y3iG9w1rL3..567q201p6P7sRd35821mQ782z670T6p5xdbzd3bM02d42F3mC54R2928117MLe74kd1ohZxJg87x969uup8e6499m10..2TJ315B5hh7f5Pe8j0x3mINy92j6566UF9142Ae0ML5h6M782ZGVj88Y9C3a9gT2wh57g3k3U25461b3T995ySIvuG04200AS7af71sX1965SS7U6bT4Az049hm9L4ZD75..
                                                                                          C:\Users\user\AppData\Roaming\22032878\fbekvf.mp3
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):532
                                                                                          Entropy (8bit):5.50565576271383
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:b9hcDkVJKY8kVT8IYSIDnwYghb1ViaEADd51M5KeXJ:HcQzKnOFIxgp1VWAhHs
                                                                                          MD5:2950A51EBF5FD41C3B90A189699A5DED
                                                                                          SHA1:1E19E946CC40011B7151C211436315D3701BC971
                                                                                          SHA-256:E1550F370DC76E180F02AA73DCF1D908E14CC10B4ABA8AB584BBCB123D4DF7A7
                                                                                          SHA-512:AF304E6670515BC3CF737A28778361452DF8993E39EF59B10E13C8AD67BD3A704B38F1FFBE327D20F20DAA23F5AEE08B91BA46D8B5168DF5E68AC73450A2079D
                                                                                          Malicious:false
                                                                                          Preview: 3Z3l845782I..h0Pf96401dEPDd083891vz350l8881Y2X0Ol88SG7ZSTu360459x1Vshf4K324bJf3Qpj3aoVp15M49lnhy0LA5..R664qeXfw44t86N36m550nY53OLMYQ7Q6R336a4tr8I54VCq5..c8275yo6863a5I22dtzK26ZOhu8i4974m7C8S62D..96iKm99677CG8I9909EO975YtvzLR592l5b714J9e0Mr41Vb599KMRrU5J58cEIVQ0W40zFw2d105dqaUI0D6E253dEZ4bB6W3A1j6Jn227JN7T4E77wF2D19U7ees26A8h54409nTadg68u..8m7n43Qg3Tg0gvb2L7G8vM075wz8V2an4Bj2bS2..OG7Wr8fM79F8w4s2Y0IseXqQ01g4534445O86CLA62A671uWfG7uq3q08NDC7S25D1n8t39t55A1oWzAjZl46hGt70p4c2RIUE9224e5dfUBVg877WiV6cs5G38Z40c8mqs6Iu0394i815201y31..
                                                                                          C:\Users\user\AppData\Roaming\22032878\kuodio.log
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):583
                                                                                          Entropy (8bit):5.52430412603607
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:UFz4xSMqGXlcJ9znBM5GS8DVmT4k1tHSZUiJBFvgWAzNfiMiUIzRNAI:a4xB8pBM5GvJmT4OQf5AxqMiUIzROI
                                                                                          MD5:604A9356E128FD0B739F8F9A195BFA14
                                                                                          SHA1:B670B7377CEFE687441689BBF18390AC011BB3B3
                                                                                          SHA-256:524E4FE024A8E1F68FA315625B6CDCDCB4E243F431F328BD48D67977276F0904
                                                                                          SHA-512:0D0F5191CCF4691F1D3FF558D551796695B13D3F6AF8CA72108F131F8FC96FD1E01F3A73595F824C6B5FCA605B3B304434D045BCE6872EDF633D840A5668E12C
                                                                                          Malicious:false
                                                                                          Preview: 36JlgAv6Rq72ii5..2Qd31t1432K660t1qe3304KVe0M5xwd695u3cq1I9hb5p71TIfQtH0aY370q03025VeTs48OD6T4vG4QOIuT5q74bzTY4Q00l7..B0LZ251852l2M289vQEz0BvH7EFqOX03C26BoAV0l9nk9VRHXz37796A2uiNO8SpS2XBE..57582U4e71GNuDI8w7119C193V8U2..6lf4510Y0V71sw7H4kEs2Ey220f8gV7xcG19n3237EH309lkg99KpmfLh3Lnn19Wv3Rt52Z5U6583p3gPCvR82WGST..Rcl5U574qJn50Z5F7xqPx5b7T921ZC090983QEV2RMz1ud086bZ6E13T4DH3wfOtM3U4324s4J37OrWefsY4841gd80Cy4660hV2U0o790L1biQ2fv..RH65M27DMT1pw508876U5122GAR269NE4463n8823D7P2413yU868vkYhgspc34ZNs39p4I135C5Ts8809u6G8a5y4sVW5tPmL0mT39wZ1325p50114pg5HzB265T2441Vca8E33F1fl7L824LE98jjIA6..
                                                                                          C:\Users\user\AppData\Roaming\22032878\lojmm.bin
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):547
                                                                                          Entropy (8bit):5.499043982252092
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:azDCtiP4Wo1NSbTSXzA0XEgds26u5HLBSWfROnQov:gC9WNbsAsETRu5HLBSVQy
                                                                                          MD5:8FF06F5C040CF50CCD9B8F1121B0384C
                                                                                          SHA1:82A63F1862169346F605467A45CFEFA8E9E0125A
                                                                                          SHA-256:C372657ABEEE57A4524E9DC9BC4F464B08D697E313E18C00D18524FF5103F74C
                                                                                          SHA-512:627644BD0C2AF74F50EFABC4ACDF0E44DEBC6A09E1BFE9644842A70C29BD687BB6DC073A63086E15BC529F7346D62B499FF77D7A348B4E16A1AD13D422A44D62
                                                                                          Malicious:false
                                                                                          Preview: 48H9326y1g99359d51a933G2kmIq0l935327Hu21tw7YT374e05yIb4384B3834041D5842..49sRS711O5thIv9DN2At2apZ6Rz2q6r2R027W2rGsnm086577x2Sd5UOoG7mSagr08g2fNyC5v1DB7lpAxawq9Mi59RU16M15L0707VkL3E614GE8M4o5P17MzN24TW..Bn2Yp408p7yN..9Uc8IVtl7a2ob88p7T609y4016k227k569A70o3X62ReZ94Gb7lN72or49wC0r8c2ueQP67L4ali7j4uIw5yrUlvb6j0BDQP092g6Gr9Ggac07J8w419LUNLH4X924cp96y7i833c3r8P1v247..4KDe10m4mw8F2h79Ek701gw9Ofb356X941MHR4b6X..36WwJ3on0655Mx5Ohj97b90c90u8r1V53UD1m..53s1zs4502U3840aT76eo8da8..45j0elI113QW079T84NTDc144n1g01AqGkDpWZD4g9Eo52f78BK4184cV594Hta769mzf75K..
                                                                                          C:\Users\user\AppData\Roaming\22032878\lqjmggks.ico
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):485356
                                                                                          Entropy (8bit):4.382161397132145
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:a0AXl49W0rfr9tfam7kPcC9jdzKGb0KjcrKUIMgZIKmenPRyiwmF:a0AiA0brfaRz9NwZrKUIMgZIKfPRBws
                                                                                          MD5:C5C34E7F2131E3E95F01D8A2F56DB3B5
                                                                                          SHA1:2643784461E9B597FAA0981F13D80EC80F121A7B
                                                                                          SHA-256:A499D02518697CE0191BFDD7D5C9F82936ABDD6252DE0860D4236B1A09BA0EA8
                                                                                          SHA-512:0CF82DAB5F26B5C66BB79436BA89F8F5F8CABD1F451B8E4205322D250CD2188A7C8F50EA83E12933A0F44DCEFA95C313AB4E05CA1CE5908FA91CFB1B7C7A2F2F
                                                                                          Malicious:false
                                                                                          Preview: F96c7V93z3E9xlB6an0f0Jk6dnd2zNdGY9B..x6h13A2N15f7tVIJ4zqwi43g6jqw8O8I35u97jxaK8tw63Sp..U735c8O18zhlx0aj96Yq1K426j3Sv46494QM78Nvo0A6r05Fz5uaE1930..iZ2DD5u2s8j1455t62l9L47t3C7G1s2Fj4b3Pa6f0pIDBLgApwY5FV9WWhJx9uS..t60Na04xd50322077gLdfHK..0dk578OkYOU68EL6Eh51R17l6SI2P40H67kG68i6Q7B0pX3lTM490EYEkq446NXW5kS682..c1bP7Rh9xn56773F93cI9tHD89SQex17S92LZU2vO3w445alG35cX700246H84o5a2924..853cVJzJ9r4e699UC61216RVaZ1gJ19E16L1f17D0460y28CcE6TRT25dvHp4oL933e56Nl4F7U10LVxd37KEysUjA6..S87o05Pk33C921H7S3549sP34583YC..9uWx8pVewI975F714JXQ5t492z6m9cAN4f57a4j5qZ8..7C58T097RzwZnD262ot1JlK0DH1254Z3WjKosk1ycUikw75i744i137NX4N6LT1063NIaVhSrGrH1U65d0J9N47P..5EO7J79J5NiS8C6Pr355l712yM77BjNh176K6067tn7HA5NG23PF..p185Bzr36A3HIRQk81UJchw0fJ54z7qoOWy..h6VJh35O3Gw60s7FlizB955Sk2S83HBoak5r3N29Ne2V78zAO400lo5204Z1..3Pbp00f4S3M8V8421l4PGcS0005AsOz2996dvPY1Xc0o0Kut4SPkH41PboWu1U41Bo04hY3633LVy5dMGS9..K02b76A4BpcFbq6ZSxx6erfv7CDig877e9RpeiYaE5RgpW4k7O8wl6db87O3V2O6Kb11L2i6G2y49mVw5d2e8j6A230..SI4A1Yt67g3zlj2IG3nc7Q1003nQ5Q
                                                                                          C:\Users\user\AppData\Roaming\22032878\nfiuc.pif
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):664816
                                                                                          Entropy (8bit):6.570907651581873
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:eBzZm7d9AZAYJVB7ii/XAvKxRJBnwvogSJ4M4G4ajl5DGDt2:wcneJVBvXAvwRJdwvZ5ajl5DGR2
                                                                                          MD5:51663CBA5E7E841A0443112BF5E57049
                                                                                          SHA1:724815819609CE9AA6674D16C91B2A4202583F4D
                                                                                          SHA-256:B5B9D67F36E0B504692B8DD25EFA62400F7A50D623DEBC849F42233C0F5319EB
                                                                                          SHA-512:58EA9D766112650ED84E8243E464FECF378C5BB2F249093965AE65395ADA1CC1152F5DDFDE442B8511D2B943C46A9EE9117718E1AFB4A30DE32DDC7AB7AE1C18
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Metadefender, Detection: 19%, Browse
                                                                                          • Antivirus: ReversingLabs, Detection: 45%
                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O.........."..................d....... ....@..........................p............@...@.......@.........................T.......p<.......................c................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc...p<.......>...R..............@..@.reloc...u.......v..................@..B................................................................................................................................................................................................................................................................................................................
                                                                                          C:\Users\user\AppData\Roaming\22032878\plee.xl
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):573
                                                                                          Entropy (8bit):5.499991624458592
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:RaHZ6e0gr4O9I7yssHpgd9YTUlIeoFz5z04SM34arY8/T2mkMX6:RaLXW77sJgIYSeM7pjYYRK
                                                                                          MD5:48FE7BDA227A704E88CE662329BE36E6
                                                                                          SHA1:EC4BD966BBADA72FFE5E21002DCB5107FCBAB1CE
                                                                                          SHA-256:692BF4E2325382E6BC40418806CC450FCC3163D861C37C7AE9528A412555BB73
                                                                                          SHA-512:C0B84C62A25FC3F692A0D79AFE55811EF95657A9476003911C3CA9646DF315371CF11920DA9A8D70CEC6EB34D2D7D919D02211C9634873F6F88161ECC999DB5C
                                                                                          Malicious:false
                                                                                          Preview: gQ09Nuz15L7138b..YJ2Zan82YA37Grdz78Of3Oz10x005jT2022l5Ua5gG2QrJ2ra14w203JQ1158531053x6v4Vs29uq7121709f3P89k812l1p3D430TNC543..0Hk4Jm1344Uy623wU1bV94rm27q8ZU2w478AE27GMlCF8a044W9m04GcPM70kQ2Y70wD2r553v..7f608wS80LPx6o8coA1ieRg5eF04u7u6BX08Kla1d36CCo2hO5f28Akc3078ys47o18M..bD3o9988..M10kSF8TK23br20qno5q0AI57R97x4Y4..Y2DP7E9H80h05fS4e3B025E4X76tT0Tb2L475VQz5..4yn83hEZDtbk6Apq7t3937107dI4f6Y8qdw1dC34410F2l125v64U7EXjtG3845GB8gU96k62MRLK..Cml272NiH87k71Q53405Vh9Ue3i08986zx43tvm0k4x4L71RrX9nlzk98fKhSnnx7419pN17H500Zy22Deejp31vxFrl4934XY7kQn5V5aZzY3523OBrzEv525507747wuj87..
                                                                                          C:\Users\user\AppData\Roaming\22032878\poqhjae.xml
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):664
                                                                                          Entropy (8bit):5.430182663949951
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:C20k3o0JVlwOZTiiT8pGF6Z/Ofup7Uf06ahK4SI/UHWTg45qz3VbmbwWESbWKmWA:C2ZjlTJ8pGF+/OmCXas4B/a45qz3VbmK
                                                                                          MD5:4D6C493CBB6EE4AA30D1D3CACBFAB719
                                                                                          SHA1:0F3AA84F48D3034831B41DB70B97B543AEF09671
                                                                                          SHA-256:A9B846EB017D3625686790EFD741EC3E1EE9C9B7F0E589C7DDE8FCD2C60028E7
                                                                                          SHA-512:0272556F9B46C928A69F94FFE1C2BF99BCEEED5E6901088602413D8D83B1C3BC1A3E7C3472463BCA0E27F308D22B491680A6ED8F5CD8E4AF71A38B997FC6FAA9
                                                                                          Malicious:false
                                                                                          Preview: 16aOQ7S05hG107W95U98662Y942vJ89E9i87601mCQ85j2eP3F01h0317I5dqh91baH..N8eu6O20569zj7BvtAn3DGMp7IfVvy177741YJ2x3Ul368Trl813f58AV8..LV613Y78a5i31H7zLG3537M05w7dr7157tD680J44X0212061J..2J2070mH1838009vSIDVIed..50Sjbz6638WI499jXiVI281pbcMnFv70f65l9y66c3f79x7H8QAtAW5814783q76Uc7o..k6d7fAGBbJxKJ0I33578R4392d843424S32827pkNn1X3RO21uEx89V1AcNN1EaovR..8XQWFCCbf550Qu38Vfu6a48703Hzv008d34W58K06qiT43XUgSD72Ud763S96382C16x91yb38hN28iFC5405550b638..47C4W66G5fJb11805sXE5ek00O3I821..345i7a0d5WAu7f78a90n..228ii14Y40il2dZX3AL0R0F2X631s67LnX4621RV61ats6L34F1RL69n1970VX046X54210ZuUbY63v6pGDK1FpJGU9BN8S4C7X08QdXAT6300ZZI74O541tl3D3b9rPZ7485kb77K67omMl73Xm7w8n710nUSSwF76KqU318..
                                                                                          C:\Users\user\AppData\Roaming\22032878\rkevqw.txt
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):559
                                                                                          Entropy (8bit):5.522582367791629
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:TpFIKVNQKFMX8Ex1fP68zDARMrOtMdrtL+uy+ahky:TpOK79F4hDfLzKMr8kp+gby
                                                                                          MD5:A183CDFA1098B2EC3E6B8E310FCD0BF5
                                                                                          SHA1:679C458CACFA7E8B54ED146CC73402CA64D79FD3
                                                                                          SHA-256:A3D37F1F39C36630F742778251270704AD1B5C5F7F688778920F29E82A51C631
                                                                                          SHA-512:AF9AA237367FCAA8ECD571D533292C74D6F05C2ABA741DB89BAF7F0AE72286A186D7D6D37BE7B6F1EA0D060974492CF05FFAD37F0DEE0C0A39EC883CD679160C
                                                                                          Malicious:false
                                                                                          Preview: 57Zpt22j03pkV4rC11kjZ90R71Iy856B0ZR1iiEbTXH8bSudM305RGB8W0BRrA578VI47313k118uFLj4440jSF9z395L816543A25K4s6JM78r9MXf298RaGY0TIWN56..80347VB8y3zIwm45F36..85QK3Id100C..r9407721835c9M044P817GrN3j59h5221Xv..PFn398K4t7l8s47f591W72q7uSiz0J7MeLh505v00J5tAPY988jlL..5Q77R1r6xSkl75093cJhjrq3Ne3473o8mcaSuVR97363D8euan5Ud010NDZ3ifor3j63Y0064Nh47GJA2y2tHm94Hz4d5E..37Q8ipe037Z52u58MPu84056i0Z99yg0W679r2ar9V54HY0nQ9759WYWlD5uZ56715pTbLLb0H5O4r1Rx99ahigA2..4Ku3i2zEXBZ8K6Q3Gy7YZ5MeyK1g64Z9QE2FUf96Lkr87QgTg03UA9U5F6Y3w82N7o8a6wMJ15xUum615837zN99R7d5o267gFjrk3E0f0218ZMIQ..
                                                                                          C:\Users\user\AppData\Roaming\22032878\rnpxxre.icm
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):550
                                                                                          Entropy (8bit):5.478420245483416
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:jydRJFLqz6Bs+nww++yOqAdBC8+BBuFGU9u904k1Rz3i+m:wRJi2s9FBkBC3et4k3Pm
                                                                                          MD5:4889DDFC0C45FAB0B2E44FB4A306E9A6
                                                                                          SHA1:1183C9BFDC5422E4EBCE88C19B6087808A4B312B
                                                                                          SHA-256:CBFD442D9A41B4746AC363EF4F26DB832E928E76353834BC0C5FFCB77832EBFF
                                                                                          SHA-512:F61537698859E19576FA01BA0C2C13F12BE93C4A942BBC5737C2DE2BD176428A98B6375FACDB76BEA29CDC5A2BDA02350A6571EBD7D8E0C4F45EE1FE33218AD7
                                                                                          Malicious:false
                                                                                          Preview: 29o29u2HX8CpS37Cv65aFR5QU15F93256XY1z0pCC4Lh03Zk9H85dm1z2Qu..17e2s5wIa3O9TPN23YxH21cYuWpRwB3Nd4T5l6311x035k29EYc8r28O7q5q38Sh0J5b..F7vnT2K9OlGxw..L138QD0Q52pV1851PUB1280KL4Z913738Q48o4B70898mKe29Vw0pK89uI7537vC9771r534iH93tb7NY8Q5k6hm88Uxy7G05e1P224yw7BgitOyRkaV263J3z3sNP4..Mx36gL0g1p3VC8Zk760t87Iy4kHO08644jag95v4v3583c35948u128W39T067796E..24HeXjTr171ULl8D7ct4015zX1e6548h9X8t4410N0SU9uNc51R13bgR4P57WAzE260Is112T060549140023lx74wHr6rX5r8t8pYS30yr3972B88A02186oi959R5122..75Cs97YR70Lz0495G6524Uq979s1as7pp8lYE6dGlyx9Mn3tz1A5j6q9F6qNA7okZqY0jW7rm..
                                                                                          C:\Users\user\AppData\Roaming\22032878\tejpjdone.dat
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):520
                                                                                          Entropy (8bit):5.456583021020405
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:mbAILbQBRciICyX7Zsc0XyvH80SnKuzExcRkRaS1ax3eQgDGwxLJ15:ILbHidyXWc0XA8pnXzQcuR9U3e7dJ15
                                                                                          MD5:53EAE0D6898062E81046FDD92DD7912A
                                                                                          SHA1:D4CAA9D47FA27F439D22A45A6B75E53274430DEE
                                                                                          SHA-256:323B98DCB2B894092EC267B5616A5D05CAB4F2795BCB8333E2A7163252BA13EB
                                                                                          SHA-512:F47AB84732E7482EA10FFF850C4578348F21A98F624A8594E15F8DFE3BB7579ADE91BB20674D4DC490E78A373E870A7A0A468A47E6CA2FD71BEA254AA5DA51D4
                                                                                          Malicious:false
                                                                                          Preview: 13028J9C2G09RW3H50qg4QL110U26fMTvVfM6886P5A11..m1749Hp9oagD7805M9619BU..7h974G842ZNo18aV9ic1W21ZB0NY8yX2M024A4E4qLJy5BJ04Em6yx164f12LG5A1j1vv328fQ5r5Jb4g5j9750E7R9XYaeWU247OS6plc1679VG..xy1e44eTS43u52T14587mI4MRpB4o00f7uWF957sqOCeXad237460u26xkT9Z25RS0IFLGA01CX8q8TVQa638y1khcM32RQ97375F1X4Z8sH9..cHE4S90v20qD84Z6rO340Nvr4R43CTuw6wA633u52781rbo447yPC7AOh1M496Z930Drp9NJEn24T1303D553LL43Svk64826Dos94gzDr387063iB84269gZ91qkFlyF881U38w5Mzj09..Eb0g371FK3M7019N886q7637e7D60X468YY9067mXDt3x223p9wY78Y3C6167s8Owr675w4NUt199..
                                                                                          C:\Users\user\AppData\Roaming\22032878\txum.exe
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):575
                                                                                          Entropy (8bit):5.526129708681296
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:nGXtVjd0Wk1KObRrHnf82p8Skg8iniHqeJsLKsnTkYO+H32GRUZ9cEuBUfh:nGXtVjdsbFf85g8iniKeyL5O+TRUZylo
                                                                                          MD5:F4405478D69CB8C97303399BA69354C4
                                                                                          SHA1:67555AE21178B5233AC5A3582AF6AE163F4CB531
                                                                                          SHA-256:E2173B7F096A160EB049F7D31B939CCA386CE7F6C1A3BCE6BFAF3BE44F026DFE
                                                                                          SHA-512:357B87044E733F99736463444B79E055D06E8C407B1E7C2E74C49CDB9593AFF98B7E2A193896D62975C1FF7D9860792AA74D4A49FFE2019120DF8B758A6BEFCC
                                                                                          Malicious:false
                                                                                          Preview: JUZa1580659YZ7M5FQ7P6a7x527M4924e6J6811h442V92Df37h8g02wNo69o3..5636yDLuc..660Qg25n1e53z5C442tTAEbg6s5E4NRW807UT181QSYf56jUi4R7tcDeLa627NH7324i8A83KIdz4o3eP..8t7388Urs28F8xer3m8o72144ehxzzEI3lmXw794BypO02811w8J63FDA49wSL1570P31360cy3x89K10D6fa6w86g0y21n8PX0CzJp1o13Jreu2PapIn0217ndKY1Z2ig8P35ub6Uj7It94MdQX83K..fE512f4sqhdkf7rIJ1a20G1C4Ln16R5oQ02mP15195609EC0Qh24M0Z75s7uw431658P9EY58Q6UK95P1Kg31gtT8946CntdaT..61vp62wX66oW2F82BNW8Dp7u7r9f1lS236i1TYTr57K112Q45Wz5cnqM0j09m6txK8407c4E7..34B28NLfbMWO7p299cs45t41Drc65Exw8sA0JGO0F936c24Oc323JV04WLh249nsZl71azwj4W537xnnlm8AZm3..
                                                                                          C:\Users\user\AppData\Roaming\22032878\ucjondx.exe
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):503
                                                                                          Entropy (8bit):5.411685378015985
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:CvzQprZI1VRsjCbqfR7G8WJyku1aV5nqfXKbYFrdNXYIX7Y:BcQjCb6c8aEaVpqyIBlLY
                                                                                          MD5:C75A9014ED721FB41E33021171F17395
                                                                                          SHA1:BEDAC4FCB9E9C70764A4E977597A2CE026C72778
                                                                                          SHA-256:7725496DA1E6CD5A0EC7B39748D1B4559D2DB1D100813B920E8790BE47985088
                                                                                          SHA-512:4A07C4C7D497BB5E33B743D3776AF0B7732A01455320741E83E97928D4ED383D984DBD782DC94B703B43DFF8BFDFBFEF01EACAF2B515F66912F65B28DA48A3BE
                                                                                          Malicious:false
                                                                                          Preview: OjF0669rS6fen4M39F94e9iw67g7mEWRAk9Tb5P26f9S3e3mBy5lsq68dT7mwn5ma3417b3662U41231wA44bu7877Uin1949z17s5D..0T306t43e2r8OTzMYV3574iB0981O4uq86Vg8f3mbA..tX41o4j3DcDQ1F9hn1A0l7711Pd79kJ9U1H0E3C8A37hu1Qy33iu2S3tE56..5J5R2bM9Re6dJ0d6F87o43n6346fW..N4E7x8336ZVg..q4bV1..v5QF1wTW6c058898vGUG60836Y7594701m9xA424DA6g9w3e4Nv1508z85VM0o9XA34XQHe514m..0ohe6u8qnBWb0p3b9524775281feeV592o0612HB6265mX5q..D0B7I..7w6BO10sQpfj7b58X647n648Xvo15i4Jd4018QY31Gqbs172B906y168EE48I81018Je8jK6YQ94gUu35B71g38..6cRwm0s7r6Bg8D4G..
                                                                                          C:\Users\user\AppData\Roaming\22032878\vhcpj.log
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):566
                                                                                          Entropy (8bit):5.516316428481893
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:8uYNnG1JvdT5nhK7hkzwm9nSWI8xrW6vQCM6YHGD1i:Jq0vdT5hK7h0JBxrW+Qf6YHs1i
                                                                                          MD5:158639DFE28B8CDD93F5F1A78B87EA56
                                                                                          SHA1:09119918EBE955BEC813B17C2FB74ECCB5B3FB0F
                                                                                          SHA-256:9BB7FFEDC07EF18132CB3EDB065DCAE945A4A139BE62479F19895368521211C2
                                                                                          SHA-512:C195EAEC103492B36A01777FD49FBC0A4E8AB0571D64F423E5F96A96705158059D1523349092B2F3A09305F680876E3216DA52341CEB25028EC9E88333132803
                                                                                          Malicious:false
                                                                                          Preview: 4ES4z22SfQiv5u64jL4a8dg6kh81851xEAFU5w173K58nAW03ZV9O19..5cbES03Mr07RZ5977Fa19LSk220m359wz99a7m4pU84743h2554mx9U8Xa4BLlzVKF1h5442u9u3W4Jc1Otm88R125DtBJ5WT9..338Sf4..M9Ndr1k7ZMeZ8uGm2o8Dgp39C6q3Fl2xLx4qj1Yy0r1R7tREy486729639560A6Z3CWI4fC73x54..H8d0241aK4xKtV4J00VOz1am5W69ysy5423Cu3r1ahD9Zo79h10si5lQbM26vv6dF9Fa157W63l..x9aC2FDmG..5YZls4600290SM56yDN5SSv1QO02L3Ac678N2c3DF2ht49146t6LO3j4uX4065f2..gN4GApe0vuF51Mv4Z4N14144M16y4c775pw10n3n61..NG8L3l692i44cG762966ck09zfkhm28c82B3a02wSQwb8zZN3RoNd68tO2A8740090O2F2E59Rf23W14njTmA529o2X2T14cILbBkv30g7wX0ai2Cb87j37p26t..
                                                                                          C:\Users\user\AppData\Roaming\22032878\vmwkpdfbe.xls
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):565
                                                                                          Entropy (8bit):5.5416700480025565
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:PyF+p25R4Xfas62k++wQjd0twFkWTU/jljaOcLNGydO3hLxdI6S27DxR01+:Ku2AH62k+5Qh0tmkWQwLNGOO3uo7DxRZ
                                                                                          MD5:45ADEFB7B7309472FAE812C9004915E3
                                                                                          SHA1:78BA0C1D1BC8C15B4E8175DC4719C32F4C5E3E5A
                                                                                          SHA-256:83440C3453A12458150A99C915DD1D7DCF5F256B44FEC3D8625C5D836B9BBF3A
                                                                                          SHA-512:AEC3D4C8C9909AD4F5692B24B1A6D6FE50310CE53B25CF7F9EFF8CC316CCFB948B90E78B4AD542A4F1FD7F81E5996AF7B144F48843C747B95F779897C38ABB62
                                                                                          Malicious:false
                                                                                          Preview: 565P0p5J86fU934u0T9u8My8c5rxe47qH7L53N4296gy26W5180i12226S9qw18eaI8825y57f5U53..E3r3xhnTN2bMH8hdb35DLaRSq3f0Ni07q5XV2HTq872dHKU114X8W35el8LT78w30aM41P0KeORV6cvRm6..E3Xw9YWDflrUBDwbTI4vv1s3f25r8PwM66rJPV1UX56469zNQ7012..8LmM575R708SKi1nuH8uz408rFq92f8ubc8M7Ao2GWo173vy1r937XSi74619Y2hYm37yX551P3PaR06Sn36GIzbrJ8bJuaXwr484T8pUlf6qD55e50G1T31548Uy7KxS065OIhn6GItwPQ3x12q9EUYmy8L3k2951hA9h04v23868..637QC48z17TV1X..7lRcT3mQ584Ts5z64TA5w6n6d4N4..cy0N5X6p752D9RRrm78731O0L7E5y3B..V49iQ9240i1I9E31q9g4VKcA2NX1P112xJ9488yWKcISM5Xe37z0Rau33r56k159jK07QrMtos0Z7Y0r24QK3g0aM..
                                                                                          C:\Users\user\AppData\Roaming\22032878\vxhqol.jpg
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):504
                                                                                          Entropy (8bit):5.436588232072642
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:i9Dkb1roXOYZ0dVKXkjQH0ygqHi9K0QOqzl:2kNYZkVKU0H0ygqC9K0bWl
                                                                                          MD5:854039E8892A6AF3BB237C8C5FDBEDA2
                                                                                          SHA1:EEC1068497F4C8C178BB4E273433646FF0AB4DD4
                                                                                          SHA-256:7A69FB54E9B5F631D1C7878ABD4A1EDA15AAAC43F32828DEE31F35F89298143B
                                                                                          SHA-512:71A415DEA79742A177AF1DF0D856F017639216373862510F1089FA8A049056D528FDF2942C79089396B0AE28A3E48B24523BBCDC4A0AEB188C4DAC85655028AA
                                                                                          Malicious:false
                                                                                          Preview: JB48R3FouI8PdP243s669600ssmcx39a2O2D78..15T664P0C9W7ML7127J9g1kgTz26iD89LTrDQ7sdD353Z1O45T58l5o75O6cfiunZlc92jd05UBYIvFDS2mhOMI388S448ap5Q9v6y837K0EU68C5U0145M8wtD20s61Qa..9156F8N8j0Gh9208692JP673U92m9F..P2AX1ZA5s505D47N55v0Yw4Di50kMB808930b2y57fN1s1J1ta4cMyp2993pe4JoX10fDwib18cTyC0V4x9Z9mq1..360Up10hQMX8N082TO80s0X4e3Hno3oi427857Oq3s9D2267C995IzekVRcoC432yUfo82vH1p1bc5cs5t2aSv12s48jI683szs203Y34IGd..F81837q9u694Lu191oa5kZ875U0156435HO5g1..461854Jd45946BHq1X74271682VO0k02mKY6Y5b4U59FgV40H8204h90KS..
                                                                                          C:\Users\user\AppData\Roaming\22032878\wawopnh.xml
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):542
                                                                                          Entropy (8bit):5.435844680914607
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:f0NCiBAoKCMuCJME3Khwu2Tf5N10v7sTbvDflrhv/I/LjWNkRn:2lotMEF5XTbjdtIPWNs
                                                                                          MD5:CA3375B40AE610E80B80F479BCD7CA79
                                                                                          SHA1:188BBEE5E1F86DA84AC17AF971CAC635C6447BB8
                                                                                          SHA-256:65C7147B661E9B75ECFFF54706E894AA25E6399E7EF1C8DFE9E56B53643C425F
                                                                                          SHA-512:1725511DD6135BC890D4FDC33D585254D884A2242C9EA314A512DDD42AF3321326EE25A00BBC2D72637ECDC85D512B4A808D8A38C920408A9A438D55254755AE
                                                                                          Malicious:false
                                                                                          Preview: 69w10kQ29VC35732..0ix02sq0wJ1O557f..H54QGEb2Nnn241862N9I06CLV70J7010gB61120R543o80Ox03mEe..w323043CXjsYF89sl0..2N65z7i40827Ymt3GC7b5002X26tvV43l9x2925r3Dvv7eVR51kzmC6..84Xi8C8w2I917q11yz80U41096UXP340O3bQ1E5odFLPUQN13Oi973Z4IGkcG2..765F48DjtHtpq463e7Klef6t42c2f13W96..5zbr85X25Pj8wd124mY89nxU244m2CAJs6QzO6823xr7J1pi99Mt137682UG6JX2b1988Y02N39220S..9Y5pUwQ06V57zE8H9jx63g13u2lE1CPNK6kpp8..3be4V63pT0R23U287A95251g8H6P86786hV2Q47sU8W2K8J18TQbYKX671O0j0I81..o2hz730w4Wcu664u2J973v1yrRq15961C403213ZS4ttzonOnW58CvwvI880QKUMrye32x448yCQSCxE68J0..
                                                                                          C:\Users\user\AppData\Roaming\22032878\xaso.fhr
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):89158036
                                                                                          Entropy (8bit):7.047537320550963
                                                                                          Encrypted:false
                                                                                          SSDEEP:393216:wL/HcmIzTYbzRoYe0wveaBt8KVp+ziboJL/nUuELfLu/W8tVGNoJy9Uh12y/Oasn:N
                                                                                          MD5:849C1F5F156BC2BA9528E0F6B7BCE4A6
                                                                                          SHA1:CAC5BBA70ABD7B8F72382DDE6D25010A702D88E4
                                                                                          SHA-256:D7782A1453D34566C6B8B6D71DA32BA153DB1A90CB2F3483C6C759D8C8E66D62
                                                                                          SHA-512:F7C68FF539EB5A8E83BE5D88723BF1436DF0EE01EBF4A1C1122AC92EFA151D67184D29BBEAF873B066F41B4DD2F7751EECD7ABD1DEEC5F3BE9C3818331244C3B
                                                                                          Malicious:false
                                                                                          Preview: ..;...$.^^.)....L..].c!.}...5..J{..1.(cW.>.>E..]...A.P.K.{..[..v...P...C.%d...&..x>..?..6g......S;.....m.a.r.........#.c.s..M..9..O5uA...<.o.......=t.'.O...[..0gV...x ..dhD.jx.#U;...z...C...3X...y./.s....o8....L$.p.#.`DA..m.}.A........5...eV:`.>...).!p.>...........E.q..5.......\..fI.F.3e..Q.2.5p:O.#hy6...nb.P.'..F@....3.7.s.6.7.4.m.N.9.N.N.T.6.9.O.6.1.d.h.s.9.4.3.A.v.8.j.C.q.I.P.4.O.t.A.W.S.W.N.0.y.0.A.R.D.l.....[..wm...[....V.].^./.T.......+IU.........p]..p."...(x.n(..rU}s.....c..#|.~......n.JN.q.{MZ.+m..1u...Z2q..E...N.|k?..]..._*&1H.:Ad........6.7.1.P.0.6.u.o.2.2.....8.K.U.Q.b.9.n.3.0.8.4.I.Z.6.1.7.G.s.8.M.W.L.9.A.9.Y.4.6.2.1.A.3.7.4.Z.2.Z.0.4.j.f.T.D.g.S.Z.w.....b.7.8.p.9.K.8.3.5.8.9.q.8.8.y.r.2.M.E.0.7.6.H.r.4.5.6.8.B.G.6.8.P.....V......u..|..`)..g.J..k..z=...;.R.@.-v8.....n.Q..@ ..uH..}..jDyW;U+w.I.Ry......._...y....L.v.".@.I?b..D.o..G?)G._.u*.Y.<6].y1.......q.`_.)K.C........]a9..Bz.......PA.S......AE.].D.,...._....h.....nEK......G.Jh...)......
                                                                                          C:\Users\user\AppData\Roaming\22032878\xltllfaf.dat
                                                                                          Process:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):516
                                                                                          Entropy (8bit):5.508661863014793
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:JOFKaWmJJVJBVWQYHyWQGG5DnnZd0pjY/BaZ2JkAbR:UeEJVJCQYSW34nZdz/BaZ2JkAbR
                                                                                          MD5:5126D494BCFE29FCCEB72C7D472EB601
                                                                                          SHA1:D0C8FF41C88B85FC0862A05B974A71B4BEFCA006
                                                                                          SHA-256:B1AB630B7C84E02AD585F4762E029D780040F1329788894174124574A2168B2B
                                                                                          SHA-512:A534A08CEF6C4A683E1D5B8240A30A79727B079327AC1E21A4D6B5B91751B009E37D43582CB5252247239E4A18FD34B9EB1A10651484917E6572EFBAED89BE5C
                                                                                          Malicious:false
                                                                                          Preview: g160X..Jd160vB35824sr10B47su7T37k0RMg0Fb..0XBJ814321Vs22c6Y3P8Iuf3866Z0b16X4MT5f497Vu8Ts0EX342Q9SK041IJS4uVR6ERkFz8pFC5L2GH2by20i5224NcK3E0N2W2Z3fd05Dg1P029j6Jd8IW4Ye9vp9..iQ7q23wBoh9Z7u2hP834Q7z903tsm1I9ruq8yj01i30eS8Go7KU6571Z9cx2948wbTa3i54KK371N183079571V..0g28V48L6A7eSwf1u0454ZwQ7..5656Ugt0Y097L007Q48Xo61HU50..mi7mql942thjQTT66dIZL3G735L3321SKfqebt65U37lsyh6994377qt25m1uvp6jb662B397q983..322Jx02hf3JJT5ByBg1nX2a3D5b3P2N1oak38f..F3VkGK65ky4MuHXwh79cJrI09F99kllu1Q17oD3814GA7Q2P6N1iih8eU19439JXpr83C387qX4ec9..
                                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):8
                                                                                          Entropy (8bit):3.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:cgPn:cgPn
                                                                                          MD5:68C37A35BAB3DEEE0C4AD3AE407363F6
                                                                                          SHA1:8EABC744E14B3D9C79FB928183A6B0E472363298
                                                                                          SHA-256:02AAF7E7E62DEB355B4F7E0E9F1C78965957D8EE3F7E319590C4B30D5DE6D2A3
                                                                                          SHA-512:97A588C6F7BDB36DDB7200FDF27FC0B01CA7B0FA131E354F98294D9B2E68AE6B972FF6B6A3A86F450BB8683FED29CA85266AB02D2E2C728EA74AD2E5D5541B36
                                                                                          Malicious:true
                                                                                          Preview: z.G....H
                                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                                          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):45
                                                                                          Entropy (8bit):4.324534762707879
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:oNt+kiE2J5xAIwGMNn:oNwkn23fA
                                                                                          MD5:47370DB2229FE5D11F48C7C4DCF1D3DA
                                                                                          SHA1:02F189B1593B564FAF6B30C1573A6C4156EEA2B8
                                                                                          SHA-256:8DA13D1ABADD97A50839C4237102C680E32B80F56B8B594ACC289D603779F743
                                                                                          SHA-512:0FAE24E7BA758031C3850E96BFB9F93B71E9CDF886A83F83F8B0BB57C76403DA0563E3B9117360968AA279927EB7FB8F77BA48B446635E60D159AFFB96979550
                                                                                          Malicious:false
                                                                                          Preview: C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          C:\Users\user\temp\lqjmggks.ico
                                                                                          Process:C:\Users\user\AppData\Roaming\22032878\nfiuc.pif
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):77
                                                                                          Entropy (8bit):4.951742632043194
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:YRRvut8EENvuAp8XRGdYHJUgm17n:Avx9Hwm17
                                                                                          MD5:D12EFF1149B52E35D77B216A783E46A0
                                                                                          SHA1:16D6CB1900FF3AADDC4B1DF98ACE37F064923701
                                                                                          SHA-256:0DDC47409A7323ACD044E09756C93E78635D1A32DAA4FBDC3483FDE8B4E754FE
                                                                                          SHA-512:8A965C18E4DA732A9D130D8486449ED6D9BDA8FE0312BE952B89FE07F87B5364DE99983A8DFB42D0E7FD48101B871885EDF0E0DEB3DE4C39E35D12646B341CDA
                                                                                          Malicious:false
                                                                                          Preview: [S3tt!ng]..stpth=%appdata%..Key=Chrome..Dir3ctory=22032878..ExE_c=nfiuc.pif..
                                                                                          \Device\ConDrv
                                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1141
                                                                                          Entropy (8bit):4.44831826838854
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                          MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                          SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                          SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                          SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                          Malicious:false
                                                                                          Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):7.8085078655708235
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:zunUbtZ2Y3.exe
                                                                                          File size:986265
                                                                                          MD5:5ea59097fb7eed4ac42b666ac548d39c
                                                                                          SHA1:919a1f62dc0358405d1d8a07dd9c1c7f1a6c1d87
                                                                                          SHA256:b4457b3e745bbed3ab4d61442ae846c3a06d42280c2937e406e48fea05fed6e0
                                                                                          SHA512:84f9e8568fe4d17885cdd66faee17ede2a6b2ab1c8ec3817c12576e5f88ad274f3e26e6b5b46734ea4d426b2ca5b0ce1e5fa5b9e2b6617eac5977422a33335d6
                                                                                          SSDEEP:24576:BAOcZpJXVxqwjJqe6qRNoIc1Jek/LKFT361Y5a+nyn:biqwn6qRvcCk/LcT3G2/nyn
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

                                                                                          File Icon

                                                                                          Icon Hash:1ab8e6e663d6c77a

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x41e1f9
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                          Time Stamp:0x5E7C7DC7 [Thu Mar 26 10:02:47 2020 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:5
                                                                                          OS Version Minor:1
                                                                                          File Version Major:5
                                                                                          File Version Minor:1
                                                                                          Subsystem Version Major:5
                                                                                          Subsystem Version Minor:1
                                                                                          Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          call 00007FBA084690DFh
                                                                                          jmp 00007FBA08468AD3h
                                                                                          cmp ecx, dword ptr [0043D668h]
                                                                                          jne 00007FBA08468C45h
                                                                                          ret
                                                                                          jmp 00007FBA08469255h
                                                                                          ret
                                                                                          and dword ptr [ecx+04h], 00000000h
                                                                                          mov eax, ecx
                                                                                          and dword ptr [ecx+08h], 00000000h
                                                                                          mov dword ptr [ecx+04h], 00433068h
                                                                                          mov dword ptr [ecx], 00434284h
                                                                                          ret
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          push esi
                                                                                          push dword ptr [ebp+08h]
                                                                                          mov esi, ecx
                                                                                          call 00007FBA0845C051h
                                                                                          mov dword ptr [esi], 00434290h
                                                                                          mov eax, esi
                                                                                          pop esi
                                                                                          pop ebp
                                                                                          retn 0004h
                                                                                          and dword ptr [ecx+04h], 00000000h
                                                                                          mov eax, ecx
                                                                                          and dword ptr [ecx+08h], 00000000h
                                                                                          mov dword ptr [ecx+04h], 00434298h
                                                                                          mov dword ptr [ecx], 00434290h
                                                                                          ret
                                                                                          lea eax, dword ptr [ecx+04h]
                                                                                          mov dword ptr [ecx], 00434278h
                                                                                          push eax
                                                                                          call 00007FBA0846BDEDh
                                                                                          pop ecx
                                                                                          ret
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          push esi
                                                                                          mov esi, ecx
                                                                                          lea eax, dword ptr [esi+04h]
                                                                                          mov dword ptr [esi], 00434278h
                                                                                          push eax
                                                                                          call 00007FBA0846BDD6h
                                                                                          test byte ptr [ebp+08h], 00000001h
                                                                                          pop ecx
                                                                                          je 00007FBA08468C4Ch
                                                                                          push 0000000Ch
                                                                                          push esi
                                                                                          call 00007FBA0846820Fh
                                                                                          pop ecx
                                                                                          pop ecx
                                                                                          mov eax, esi
                                                                                          pop esi
                                                                                          pop ebp
                                                                                          retn 0004h
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          sub esp, 0Ch
                                                                                          lea ecx, dword ptr [ebp-0Ch]
                                                                                          call 00007FBA08468BAEh
                                                                                          push 0043A410h
                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                          push eax
                                                                                          call 00007FBA0846B4D5h
                                                                                          int3
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          sub esp, 0Ch

                                                                                          Rich Headers

                                                                                          Programming Language:
                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                          • [EXP] VS2015 UPD3.1 build 24215
                                                                                          • [LNK] VS2015 UPD3.1 build 24215
                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                          • [C++] VS2015 UPD3.1 build 24215
                                                                                          • [RES] VS2015 UPD3 build 24213

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x3b5400x34.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3b5740x3c.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x57e8.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x680000x210c.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x397d00x54.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x342180x40.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x320000x260.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3aaec0x120.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x305810x30600False0.589268410853data6.70021125825IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x320000xa3320xa400False0.455030487805data5.23888424127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0x3d0000x238b00x1200False0.368272569444data3.83993526939IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                          .gfids0x610000xe80x200False0.333984375data2.12166381533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x620000x57e80x5800False0.618430397727data6.34217881671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x680000x210c0x2200False0.786534926471data6.61038519378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountry
                                                                                          PNG0x625240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
                                                                                          PNG0x6306c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
                                                                                          RT_ICON0x646180xea8data
                                                                                          RT_DIALOG0x654c00x286dataEnglishUnited States
                                                                                          RT_DIALOG0x657480x13adataEnglishUnited States
                                                                                          RT_DIALOG0x658840xecdataEnglishUnited States
                                                                                          RT_DIALOG0x659700x12edataEnglishUnited States
                                                                                          RT_DIALOG0x65aa00x338dataEnglishUnited States
                                                                                          RT_DIALOG0x65dd80x252dataEnglishUnited States
                                                                                          RT_STRING0x6602c0x1e2dataEnglishUnited States
                                                                                          RT_STRING0x662100x1ccdataEnglishUnited States
                                                                                          RT_STRING0x663dc0x1b8dataEnglishUnited States
                                                                                          RT_STRING0x665940x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
                                                                                          RT_STRING0x666dc0x446dataEnglishUnited States
                                                                                          RT_STRING0x66b240x166dataEnglishUnited States
                                                                                          RT_STRING0x66c8c0x152dataEnglishUnited States
                                                                                          RT_STRING0x66de00x10adataEnglishUnited States
                                                                                          RT_STRING0x66eec0xbcdataEnglishUnited States
                                                                                          RT_STRING0x66fa80xd6dataEnglishUnited States
                                                                                          RT_GROUP_ICON0x670800x14data
                                                                                          RT_MANIFEST0x670940x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                          Imports

                                                                                          DLLImport
                                                                                          KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                                                                                          gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          EnglishUnited States

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Apr 8, 2021 19:06:22.620886087 CEST4972948154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:22.652494907 CEST481544972979.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:23.191631079 CEST4972948154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:23.220431089 CEST481544972979.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:23.793153048 CEST4972948154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:23.820961952 CEST481544972979.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:28.064795971 CEST4973048154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:28.128407955 CEST481544973079.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:28.629535913 CEST4973048154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:28.658983946 CEST481544973079.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:29.161240101 CEST4973048154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:45.241498947 CEST4973148154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:45.283296108 CEST481544973179.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:45.792494059 CEST4973148154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:45.821454048 CEST481544973179.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:46.323725939 CEST4973148154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:46.351846933 CEST481544973179.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:50.357165098 CEST4973248154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:50.383476973 CEST481544973279.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:50.886672020 CEST4973248154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:50.941688061 CEST481544973279.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:51.449187994 CEST4973248154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:51.475914955 CEST481544973279.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:55.487030029 CEST4973448154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:55.516375065 CEST481544973479.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:56.027918100 CEST4973448154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:56.060997963 CEST481544973479.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:06:56.574592113 CEST4973448154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:06:56.614638090 CEST481544973479.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:00.623497963 CEST4973548154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:00.649844885 CEST481544973579.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:01.153237104 CEST4973548154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:01.181440115 CEST481544973579.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:01.684487104 CEST4973548154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:01.712518930 CEST481544973579.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:05.763751984 CEST4973648154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:05.791877031 CEST481544973679.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:06.294255018 CEST4973648154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:06.333509922 CEST481544973679.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:06.841219902 CEST4973648154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:06.880198956 CEST481544973679.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:10.942399979 CEST4973748154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:10.968601942 CEST481544973779.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:11.482073069 CEST4973748154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:11.510613918 CEST481544973779.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:12.013405085 CEST4973748154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:12.041044950 CEST481544973779.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:16.087563992 CEST4973848154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:16.131514072 CEST481544973879.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:16.638901949 CEST4973848154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:16.678667068 CEST481544973879.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:17.185780048 CEST4973848154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:17.213973999 CEST481544973879.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:21.234503984 CEST4973948154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:21.268208981 CEST481544973979.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:21.779815912 CEST4973948154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:21.806183100 CEST481544973979.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:22.311167955 CEST4973948154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:22.338645935 CEST481544973979.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:26.344662905 CEST4974048154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:26.380091906 CEST481544974079.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:26.889715910 CEST4974048154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:26.916086912 CEST481544974079.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:27.420909882 CEST4974048154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:27.448138952 CEST481544974079.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:31.454761982 CEST4974148154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:31.496349096 CEST481544974179.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:31.999481916 CEST4974148154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:32.025599957 CEST481544974179.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:32.530734062 CEST4974148154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:32.559684038 CEST481544974179.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:36.622771025 CEST4974248154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:36.651227951 CEST481544974279.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:37.156196117 CEST4974248154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:37.188601017 CEST481544974279.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:37.702990055 CEST4974248154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:37.730161905 CEST481544974279.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:41.789257050 CEST4974348154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:41.820215940 CEST481544974379.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:42.328563929 CEST4974348154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:42.358417034 CEST481544974379.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:42.859678984 CEST4974348154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:42.887836933 CEST481544974379.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:46.940459967 CEST4974448154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:46.969897985 CEST481544974479.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:47.485060930 CEST4974448154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:47.517096043 CEST481544974479.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:48.031974077 CEST4974448154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:48.072392941 CEST481544974479.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:52.081202030 CEST4974548154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:52.137236118 CEST481544974579.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:52.641819954 CEST4974548154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:52.691555023 CEST481544974579.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:53.204392910 CEST4974548154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:53.232636929 CEST481544974579.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:57.237580061 CEST4974648154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:57.265291929 CEST481544974679.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:57.767136097 CEST4974648154192.168.2.479.134.225.40
                                                                                          Apr 8, 2021 19:07:57.796385050 CEST481544974679.134.225.40192.168.2.4
                                                                                          Apr 8, 2021 19:07:58.298547029 CEST4974648154192.168.2.479.134.225.40

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Apr 8, 2021 19:05:57.661624908 CEST5648353192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:05:57.674237967 CEST53564838.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:00.447801113 CEST5102553192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:00.460355997 CEST53510258.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:01.313884974 CEST6151653192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:01.326870918 CEST53615168.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:02.940396070 CEST4918253192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:02.953514099 CEST53491828.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:04.592571974 CEST5992053192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:04.605730057 CEST53599208.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:06.054282904 CEST5745853192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:06.069225073 CEST53574588.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:06.800720930 CEST5057953192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:06.816744089 CEST53505798.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:07.656873941 CEST5170353192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:07.669852972 CEST53517038.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:08.537900925 CEST6524853192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:08.552381992 CEST53652488.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:09.308515072 CEST5372353192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:09.321402073 CEST53537238.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:10.267388105 CEST6464653192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:10.280556917 CEST53646468.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:11.103508949 CEST6529853192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:11.116632938 CEST53652988.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:11.992616892 CEST5912353192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:12.005228043 CEST53591238.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:12.846138000 CEST5453153192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:12.862572908 CEST53545318.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:13.601794004 CEST4971453192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:13.614360094 CEST53497148.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:14.382998943 CEST5802853192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:14.395639896 CEST53580288.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:15.955348969 CEST5309753192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:15.968251944 CEST53530978.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:22.594480991 CEST4925753192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:22.607168913 CEST53492578.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:28.039309025 CEST6238953192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:28.061603069 CEST53623898.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:45.224353075 CEST4991053192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:45.239716053 CEST53499108.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:06:52.416388988 CEST5585453192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:06:52.428383112 CEST53558548.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:07:05.747019053 CEST6454953192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:07:05.761940956 CEST53645498.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:07:10.927253962 CEST6315353192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:07:10.940756083 CEST53631538.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:07:16.072588921 CEST5299153192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:07:16.085952997 CEST53529918.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:07:36.600106001 CEST5370053192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:07:36.621063948 CEST53537008.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:07:41.767921925 CEST5172653192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:07:41.787542105 CEST53517268.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:07:46.925127029 CEST5679453192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:07:46.938282013 CEST53567948.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:08:07.500602007 CEST5653453192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:08:07.513406038 CEST53565348.8.8.8192.168.2.4
                                                                                          Apr 8, 2021 19:08:12.678395033 CEST5662753192.168.2.48.8.8.8
                                                                                          Apr 8, 2021 19:08:12.698591948 CEST53566278.8.8.8192.168.2.4

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                          Apr 8, 2021 19:06:22.594480991 CEST192.168.2.48.8.8.80x727eStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:06:28.039309025 CEST192.168.2.48.8.8.80x1207Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:06:45.224353075 CEST192.168.2.48.8.8.80xc34cStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:07:05.747019053 CEST192.168.2.48.8.8.80x83e8Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:07:10.927253962 CEST192.168.2.48.8.8.80x4728Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:07:16.072588921 CEST192.168.2.48.8.8.80x41fbStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:07:36.600106001 CEST192.168.2.48.8.8.80x309eStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:07:41.767921925 CEST192.168.2.48.8.8.80xbdd9Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:07:46.925127029 CEST192.168.2.48.8.8.80x44eStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:08:07.500602007 CEST192.168.2.48.8.8.80x1c40Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:08:12.678395033 CEST192.168.2.48.8.8.80xa8d7Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                          Apr 8, 2021 19:06:22.607168913 CEST8.8.8.8192.168.2.40x727eNo error (0)strongodss.ddns.net79.134.225.40A (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:06:28.061603069 CEST8.8.8.8192.168.2.40x1207No error (0)strongodss.ddns.net79.134.225.40A (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:06:45.239716053 CEST8.8.8.8192.168.2.40xc34cNo error (0)strongodss.ddns.net79.134.225.40A (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:07:05.761940956 CEST8.8.8.8192.168.2.40x83e8No error (0)strongodss.ddns.net79.134.225.40A (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:07:10.940756083 CEST8.8.8.8192.168.2.40x4728No error (0)strongodss.ddns.net79.134.225.40A (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:07:16.085952997 CEST8.8.8.8192.168.2.40x41fbNo error (0)strongodss.ddns.net79.134.225.40A (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:07:36.621063948 CEST8.8.8.8192.168.2.40x309eNo error (0)strongodss.ddns.net79.134.225.40A (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:07:41.787542105 CEST8.8.8.8192.168.2.40xbdd9No error (0)strongodss.ddns.net79.134.225.40A (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:07:46.938282013 CEST8.8.8.8192.168.2.40x44eNo error (0)strongodss.ddns.net79.134.225.40A (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:08:07.513406038 CEST8.8.8.8192.168.2.40x1c40No error (0)strongodss.ddns.net79.134.225.40A (IP address)IN (0x0001)
                                                                                          Apr 8, 2021 19:08:12.698591948 CEST8.8.8.8192.168.2.40xa8d7No error (0)strongodss.ddns.net79.134.225.40A (IP address)IN (0x0001)

                                                                                          Code Manipulations

                                                                                          Statistics

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          Analysis Process: zunUbtZ2Y3.exe PID: 4728 Parent PID: 5932

                                                                                          General

                                                                                          Start time:19:06:03
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Users\user\Desktop\zunUbtZ2Y3.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Users\user\Desktop\zunUbtZ2Y3.exe'
                                                                                          Imagebase:0x1350000
                                                                                          File size:986265 bytes
                                                                                          MD5 hash:5EA59097FB7EED4AC42B666AC548D39C
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low

                                                                                          Analysis Process: nfiuc.pif PID: 984 Parent PID: 4728

                                                                                          General

                                                                                          Start time:19:06:08
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Users\user\AppData\Roaming\22032878\nfiuc.pif
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Users\user\AppData\Roaming\22032878\nfiuc.pif' xaso.fhr
                                                                                          Imagebase:0xee0000
                                                                                          File size:664816 bytes
                                                                                          MD5 hash:51663CBA5E7E841A0443112BF5E57049
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.677255613.000000000423F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.677255613.000000000423F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.677255613.000000000423F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.677318458.0000000004272000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.677318458.0000000004272000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.677318458.0000000004272000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.679566684.00000000041A1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.679566684.00000000041A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.679566684.00000000041A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.679501436.00000000041D5000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.679501436.00000000041D5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.679501436.00000000041D5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.679383356.000000000420A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.679383356.000000000420A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.679383356.000000000420A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.678729204.0000000004155000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.678729204.0000000004155000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.678729204.0000000004155000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.676679410.00000000041D5000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.676679410.00000000041D5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.676679410.00000000041D5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.677221211.000000000420A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.677221211.000000000420A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.677221211.000000000420A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.677158257.000000000420A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.677158257.000000000420A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.677158257.000000000420A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.676738123.0000000004155000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.676738123.0000000004155000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.676738123.0000000004155000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.676806998.00000000041A1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.676806998.00000000041A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.676806998.00000000041A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.676882345.0000000004121000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.676882345.0000000004121000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.676882345.0000000004121000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.679249376.0000000004121000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.679249376.0000000004121000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.679249376.0000000004121000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.677081542.0000000004155000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.677081542.0000000004155000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.677081542.0000000004155000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          Antivirus matches:
                                                                                          • Detection: 19%, Metadefender, Browse
                                                                                          • Detection: 45%, ReversingLabs
                                                                                          Reputation:low

                                                                                          Analysis Process: RegSvcs.exe PID: 5660 Parent PID: 984

                                                                                          General

                                                                                          Start time:19:06:13
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          Imagebase:0x70000
                                                                                          File size:45152 bytes
                                                                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.923227276.00000000028C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.927044565.00000000060B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.927044565.00000000060B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.927044565.00000000060B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.927012461.00000000060A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.927012461.00000000060A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.926952371.0000000006010000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.926952371.0000000006010000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.922381074.0000000000502000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.922381074.0000000000502000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.922381074.0000000000502000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.924061373.0000000003909000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.924061373.0000000003909000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          Antivirus matches:
                                                                                          • Detection: 0%, Metadefender, Browse
                                                                                          • Detection: 0%, ReversingLabs
                                                                                          Reputation:high

                                                                                          Analysis Process: schtasks.exe PID: 5844 Parent PID: 5660

                                                                                          General

                                                                                          Start time:19:06:17
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E2B.tmp'
                                                                                          Imagebase:0x1270000
                                                                                          File size:185856 bytes
                                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: conhost.exe PID: 5896 Parent PID: 5844

                                                                                          General

                                                                                          Start time:19:06:17
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff724c50000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: schtasks.exe PID: 5556 Parent PID: 5660

                                                                                          General

                                                                                          Start time:19:06:18
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4272.tmp'
                                                                                          Imagebase:0x1270000
                                                                                          File size:185856 bytes
                                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: conhost.exe PID: 2864 Parent PID: 5556

                                                                                          General

                                                                                          Start time:19:06:18
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff724c50000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: RegSvcs.exe PID: 5036 Parent PID: 968

                                                                                          General

                                                                                          Start time:19:06:19
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
                                                                                          Imagebase:0xff0000
                                                                                          File size:45152 bytes
                                                                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Reputation:high

                                                                                          Analysis Process: conhost.exe PID: 4936 Parent PID: 5036

                                                                                          General

                                                                                          Start time:19:06:20
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff724c50000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: dhcpmon.exe PID: 1472 Parent PID: 968

                                                                                          General

                                                                                          Start time:19:06:21
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                                          Imagebase:0x60000
                                                                                          File size:45152 bytes
                                                                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Antivirus matches:
                                                                                          • Detection: 0%, Metadefender, Browse
                                                                                          • Detection: 0%, ReversingLabs
                                                                                          Reputation:high

                                                                                          Analysis Process: conhost.exe PID: 1440 Parent PID: 1472

                                                                                          General

                                                                                          Start time:19:06:22
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff724c50000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: nfiuc.pif PID: 1380 Parent PID: 3424

                                                                                          General

                                                                                          Start time:19:06:22
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Users\user\AppData\Roaming\22032878\nfiuc.pif
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Users\user\AppData\Roaming\22032878\nfiuc.pif' C:\Users\user\AppData\Roaming\22032878\xaso.fhr
                                                                                          Imagebase:0xee0000
                                                                                          File size:664816 bytes
                                                                                          MD5 hash:51663CBA5E7E841A0443112BF5E57049
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.708352984.000000000474B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.708271591.0000000004718000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.708271591.0000000004718000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.708271591.0000000004718000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.710662958.0000000004646000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.710662958.0000000004646000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.710662958.0000000004646000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.710938676.0000000004611000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.710938676.0000000004611000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.710938676.0000000004611000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.707826555.00000000046AF000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.707826555.00000000046AF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.707826555.00000000046AF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.710381105.000000000467A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.710381105.000000000467A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.710381105.000000000467A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.707511293.000000000467A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.707511293.000000000467A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.707511293.000000000467A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.709101376.00000000039C8000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.709101376.00000000039C8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.709101376.00000000039C8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.707372891.00000000046AF000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.707372891.00000000046AF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.707372891.00000000046AF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.710427838.00000000046E2000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.710427838.00000000046E2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.710427838.00000000046E2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.707926521.00000000046E3000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.707926521.00000000046E3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.707926521.00000000046E3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.710514323.00000000046E2000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.710514323.00000000046E2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.710514323.00000000046E2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.707412308.0000000004611000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.707412308.0000000004611000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.707412308.0000000004611000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.709214730.00000000039A5000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.709214730.00000000039A5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.709214730.00000000039A5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.707670444.0000000004646000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.707670444.0000000004646000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.707670444.0000000004646000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.707301176.0000000004646000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.707301176.0000000004646000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.707301176.0000000004646000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.710256620.00000000046AF000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.710256620.00000000046AF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.710256620.00000000046AF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.708173598.00000000046E3000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.708173598.00000000046E3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.708173598.00000000046E3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          Reputation:low

                                                                                          Analysis Process: RegSvcs.exe PID: 4876 Parent PID: 1380

                                                                                          General

                                                                                          Start time:19:06:28
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                          Imagebase:0x8e0000
                                                                                          File size:45152 bytes
                                                                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.729421320.0000000000D02000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.732406620.0000000004439000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.732316965.0000000003431000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.732316965.0000000003431000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          Reputation:high

                                                                                          Analysis Process: wscript.exe PID: 4612 Parent PID: 3424

                                                                                          General

                                                                                          Start time:19:06:30
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Windows\System32\wscript.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\22032878\Update.vbs'
                                                                                          Imagebase:0x7ff7764a0000
                                                                                          File size:163840 bytes
                                                                                          MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: dhcpmon.exe PID: 2044 Parent PID: 3424

                                                                                          General

                                                                                          Start time:19:06:38
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                                          Imagebase:0x940000
                                                                                          File size:45152 bytes
                                                                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET

                                                                                          Analysis Process: conhost.exe PID: 4808 Parent PID: 2044

                                                                                          General

                                                                                          Start time:19:06:39
                                                                                          Start date:08/04/2021
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff724c50000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language

                                                                                          Disassembly

                                                                                          Code Analysis

                                                                                          Reset < >