Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report oE6O5K1emC.exe

Overview

General Information

Sample Name:oE6O5K1emC.exe
Analysis ID:384479
MD5:0cf0cd25346ee69b7e5aa8e366c886e9
SHA1:ca13e5bbc69f2d808139ee18ea5ad56579f8b003
SHA256:f542bc0175168daa808ce1448a019f88b058df6d0702c6daa4a0f83a481f2a5e
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • oE6O5K1emC.exe (PID: 6360 cmdline: 'C:\Users\user\Desktop\oE6O5K1emC.exe' MD5: 0CF0CD25346EE69B7E5AA8E366C886E9)
    • schtasks.exe (PID: 6456 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6500 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • dhcpmon.exe (PID: 7024 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xa85fd:$x1: NanoCore.ClientPluginHost
    • 0xdae1d:$x1: NanoCore.ClientPluginHost
    • 0xa863a:$x2: IClientNetworkHost
    • 0xdae5a:$x2: IClientNetworkHost
    • 0xac16d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xde98d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xa8365:$a: NanoCore
      • 0xa8375:$a: NanoCore
      • 0xa85a9:$a: NanoCore
      • 0xa85bd:$a: NanoCore
      • 0xa85fd:$a: NanoCore
      • 0xdab85:$a: NanoCore
      • 0xdab95:$a: NanoCore
      • 0xdadc9:$a: NanoCore
      • 0xdaddd:$a: NanoCore
      • 0xdae1d:$a: NanoCore
      • 0xa83c4:$b: ClientPlugin
      • 0xa85c6:$b: ClientPlugin
      • 0xa8606:$b: ClientPlugin
      • 0xdabe4:$b: ClientPlugin
      • 0xdade6:$b: ClientPlugin
      • 0xdae26:$b: ClientPlugin
      • 0xa84eb:$c: ProjectData
      • 0xdad0b:$c: ProjectData
      • 0xa8ef2:$d: DESCrypto
      • 0xdb712:$d: DESCrypto
      • 0xb08be:$e: KeepAlive
      Process Memory Space: oE6O5K1emC.exe PID: 6360JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.3.RegSvcs.exe.3d02987.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x41ee:$x1: NanoCore.ClientPluginHost
        • 0x422b:$x2: IClientNetworkHost
        3.3.RegSvcs.exe.3d02987.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x41ee:$x2: NanoCore.ClientPluginHost
        • 0x7641:$s4: PipeCreated
        • 0x4218:$s5: IClientLoggingHost
        0.2.oE6O5K1emC.exe.4762470.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.oE6O5K1emC.exe.4762470.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.oE6O5K1emC.exe.4762470.1.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 6 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6500, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\oE6O5K1emC.exe' , ParentImage: C:\Users\user\Desktop\oE6O5K1emC.exe, ParentProcessId: 6360, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp', ProcessId: 6456

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: oE6O5K1emC.exeVirustotal: Detection: 12%Perma Link
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE
          Source: oE6O5K1emC.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: oE6O5K1emC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.3.dr
          Source: Binary string: mscorrc.pdb source: oE6O5K1emC.exe, 00000000.00000002.686501476.0000000008D90000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49727 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49736 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49747 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49748 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49750 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49758 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49760 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49761 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49762 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49763 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49774 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 79.134.225.30:1144
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: nassiru1155.ddns.net
          Source: Malware configuration extractorURLs: 79.134.225.30
          Source: global trafficTCP traffic: 192.168.2.4:49727 -> 79.134.225.30:1144
          Source: Joe Sandbox ViewIP Address: 79.134.225.30 79.134.225.30
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: oE6O5K1emC.exe, 00000000.00000003.649181303.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://en.w7
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: oE6O5K1emC.exe, 00000000.00000003.651544478.00000000059FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCD
          Source: oE6O5K1emC.exe, 00000000.00000003.652006523.00000000059FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCH
          Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCe
          Source: oE6O5K1emC.exe, 00000000.00000003.652274217.00000000059FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCoo
          Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comX
          Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
          Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexcR
          Source: oE6O5K1emC.exe, 00000000.00000003.651544478.00000000059FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comgy
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comnew=
          Source: oE6O5K1emC.exe, 00000000.00000003.651652317.00000000059FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypoD
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: oE6O5K1emC.exe, 00000000.00000003.659379671.00000000059F5000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.654702563.00000000059F5000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.654666209.00000000059F5000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.655363826.00000000059F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: oE6O5K1emC.exe, 00000000.00000003.654419205.00000000059F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: oE6O5K1emC.exe, 00000000.00000003.654947203.00000000059F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html/
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.655396524.00000000059F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: oE6O5K1emC.exe, 00000000.00000003.654970747.00000000059F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersJ
          Source: oE6O5K1emC.exe, 00000000.00000003.655634998.00000000059F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
          Source: oE6O5K1emC.exe, 00000000.00000003.655634998.00000000059F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
          Source: oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFg
          Source: oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comM.TTFK
          Source: oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasa
          Source: oE6O5K1emC.exe, 00000000.00000003.673968990.00000000059C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionm
          Source: oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiefeq
          Source: oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com~
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: oE6O5K1emC.exe, 00000000.00000003.649295268.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com)
          Source: oE6O5K1emC.exe, 00000000.00000003.649256448.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-u
          Source: oE6O5K1emC.exe, 00000000.00000003.649256448.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
          Source: oE6O5K1emC.exe, 00000000.00000003.649273531.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
          Source: oE6O5K1emC.exe, 00000000.00000003.650828055.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.650806583.00000000059FD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: oE6O5K1emC.exe, 00000000.00000003.651132859.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: oE6O5K1emC.exe, 00000000.00000003.651132859.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/g
          Source: oE6O5K1emC.exe, 00000000.00000003.650806583.00000000059FD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cne-d
          Source: oE6O5K1emC.exe, 00000000.00000003.651132859.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cni
          Source: oE6O5K1emC.exe, 00000000.00000003.656920941.00000000059CD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: oE6O5K1emC.exe, 00000000.00000003.656920941.00000000059CD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/C
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: oE6O5K1emC.exe, 00000000.00000003.649181303.00000000059DB000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: oE6O5K1emC.exe, 00000000.00000003.650167999.00000000059C6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kre
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: oE6O5K1emC.exe, 00000000.00000003.649513321.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtna
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dew
          Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 3.3.RegSvcs.exe.3d02987.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 3.3.RegSvcs.exe.3d02987.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05850AAA NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05850C1A NtQuerySystemInformation,
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05850A88 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05850BDF NtQuerySystemInformation,
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_00DE90E1
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_019739D8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_019735E8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_019748F8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_01976440
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_01973F78
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_019732D8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_019716C0
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_01970AF0
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_019735D8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_019739C9
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_01972110
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_01972100
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0197655E
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_01971978
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_01974C80
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_01973F69
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_01973280
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_019742B8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_019742A9
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_019732C8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_01970AE1
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_01971208
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05708121
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_057045E8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05705DE8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05706180
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570B18A
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_057070B0
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05707891
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05703498
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570E328
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05708FE0
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570F7D8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570353A
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05706508
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570ADF1
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05709C70
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05709C61
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570AC30
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570AC20
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05707CA0
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570F0A0
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570F08F
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05704750
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05706FF8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570AFE8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570AFD8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05706FA3
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05703A69
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570AE00
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570EAE0
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05708EEF
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570EAC8
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570A6A0
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_0570A691
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05704699
          Source: oE6O5K1emC.exe, 00000000.00000002.686501476.0000000008D90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs oE6O5K1emC.exe
          Source: oE6O5K1emC.exe, 00000000.00000002.687029231.0000000009730000.00000002.00000001.sdmpBinary or memory string: originalfilename vs oE6O5K1emC.exe
          Source: oE6O5K1emC.exe, 00000000.00000002.687029231.0000000009730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs oE6O5K1emC.exe
          Source: oE6O5K1emC.exe, 00000000.00000002.686733497.0000000009110000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs oE6O5K1emC.exe
          Source: oE6O5K1emC.exe, 00000000.00000002.674253648.0000000000F60000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSafeBuffer.exe( vs oE6O5K1emC.exe
          Source: oE6O5K1emC.exe, 00000000.00000002.686891802.0000000009630000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs oE6O5K1emC.exe
          Source: oE6O5K1emC.exe, 00000000.00000002.686584573.0000000008F80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs oE6O5K1emC.exe
          Source: oE6O5K1emC.exeBinary or memory string: OriginalFilenameSafeBuffer.exe( vs oE6O5K1emC.exe
          Source: oE6O5K1emC.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 3.3.RegSvcs.exe.3d02987.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 3.3.RegSvcs.exe.3d02987.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 3.3.RegSvcs.exe.3d02987.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/12@0/1
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_05850806 AdjustTokenPrivileges,
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_058507CF AdjustTokenPrivileges,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeFile created: C:\Users\user\AppData\Roaming\DKCbURUccsSVSl.exeJump to behavior
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeMutant created: \Sessions\1\BaseNamedObjects\hekBcBncHUQUQSzS
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f57d5a77-8670-45ef-b736-5f3a07b68725}
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_01
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8EBC.tmpJump to behavior
          Source: oE6O5K1emC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: oE6O5K1emC.exeVirustotal: Detection: 12%
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeFile read: C:\Users\user\Desktop\oE6O5K1emC.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\oE6O5K1emC.exe 'C:\Users\user\Desktop\oE6O5K1emC.exe'
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp'
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
          Source: oE6O5K1emC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: oE6O5K1emC.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: oE6O5K1emC.exeStatic file information: File size 1554944 > 1048576
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: oE6O5K1emC.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x15ea00
          Source: oE6O5K1emC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.3.dr
          Source: Binary string: mscorrc.pdb source: oE6O5K1emC.exe, 00000000.00000002.686501476.0000000008D90000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_017473E8 pushfd ; ret
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeCode function: 0_2_019767B0 pushad ; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.5082657765
          Source: initial sampleStatic PE information: section name: .text entropy: 7.5082657765
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeFile created: C:\Users\user\AppData\Roaming\DKCbURUccsSVSl.exeJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: oE6O5K1emC.exe PID: 6360, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 590
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 612
          Source: C:\Users\user\Desktop\oE6O5K1emC.exe TID: 6364Thread sleep time: -104975s >= -30000s
          Source: C:\Users\user\Desktop\oE6O5K1emC.exe TID: 6384Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7080Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeThread delayed: delay time: 104975
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: RegSvcs.exe, 00000003.00000003.766854769.0000000000869000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlllanceExClientPlugin.resources.EXES/p
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 3B1008
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp'
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          Source: RegSvcs.exe, 00000003.00000003.795197126.0000000000869000.00000004.00000001.sdmpBinary or memory string: Program Managern has been aborted because of either a thread exit or an application request.
          Source: RegSvcs.exe, 00000003.00000003.678235636.0000000000877000.00000004.00000001.sdmpBinary or memory string: Program Manager.NET\Framework\v2.0.50727\h
          Source: RegSvcs.exe, 00000003.00000003.794087932.00000000008AD000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: RegSvcs.exe, 00000003.00000003.723840483.00000000057C1000.00000004.00000001.sdmpBinary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Users\user\Desktop\oE6O5K1emC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: RegSvcs.exe, 00000003.00000003.687967168.0000000003CFF000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Masquerading2OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection212Disable or Modify Tools1LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection212LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          oE6O5K1emC.exe13%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          nassiru1155.ddns.net0%Avira URL Cloudsafe
          http://www.carterandcone.comTCe0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.carterandcone.comypoD0%Avira URL Cloudsafe
          http://www.fonts.com)0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.comTCH0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.carterandcone.comTCD0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.fontbureau.comM.TTFK0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/g0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.tiro.comtna0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.fonts.comx0%Avira URL Cloudsafe
          http://www.founder.com.cn/cni0%Avira URL Cloudsafe
          http://www.fontbureau.comasa0%Avira URL Cloudsafe
          http://www.carterandcone.comexcR0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.carterandcone.comd0%URL Reputationsafe
          http://www.carterandcone.comd0%URL Reputationsafe
          http://www.carterandcone.comd0%URL Reputationsafe
          http://www.carterandcone.comgy0%Avira URL Cloudsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comX0%Avira URL Cloudsafe
          http://www.founder.com.c0%URL Reputationsafe
          http://www.founder.com.c0%URL Reputationsafe
          http://www.founder.com.c0%URL Reputationsafe
          http://www.galapagosdesign.com/C0%Avira URL Cloudsafe
          http://www.sandoll.co.kre0%Avira URL Cloudsafe
          79.134.225.300%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.urwpp.dew0%Avira URL Cloudsafe
          http://www.fontbureau.comionm0%Avira URL Cloudsafe
          http://www.carterandcone.comnew=0%Avira URL Cloudsafe
          http://www.founder.com.cn/cne-d0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.fontbureau.comFg0%Avira URL Cloudsafe
          http://en.w70%Avira URL Cloudsafe
          http://www.fontbureau.comsiefeq0%Avira URL Cloudsafe
          http://www.carterandcone.comTCoo0%Avira URL Cloudsafe
          http://www.fonts.com-u0%Avira URL Cloudsafe
          http://www.fontbureau.com~0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          nassiru1155.ddns.nettrue
          • Avira URL Cloud: safe
          		unknown
          79.134.225.30true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.fontbureau.com/designersGoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
            		high
            http://www.carterandcone.comTCeoE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designers/?oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
              		high
              http://www.founder.com.cn/cn/bTheoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.carterandcone.comypoDoE6O5K1emC.exe, 00000000.00000003.651652317.00000000059FE000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designersJoE6O5K1emC.exe, 00000000.00000003.654970747.00000000059F5000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designers?oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.655396524.00000000059F5000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fonts.com)oE6O5K1emC.exe, 00000000.00000003.649295268.00000000059DB000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.fontbureau.com/designers/frere-user.html/oE6O5K1emC.exe, 00000000.00000003.654947203.00000000059F5000.00000004.00000001.sdmpfalse
                    		high
                    http://www.tiro.comoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersoE6O5K1emC.exe, 00000000.00000003.659379671.00000000059F5000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.654702563.00000000059F5000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.654666209.00000000059F5000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.655363826.00000000059F5000.00000004.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.kroE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comoE6O5K1emC.exe, 00000000.00000003.651544478.00000000059FE000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comTCHoE6O5K1emC.exe, 00000000.00000003.652006523.00000000059FE000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssoE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmpfalse
                        		high
                        http://www.sajatypeworks.comoE6O5K1emC.exe, 00000000.00000003.649181303.00000000059DB000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/cTheoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comTCDoE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comM.TTFKoE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/goE6O5K1emC.exe, 00000000.00000003.651132859.00000000059C4000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sandoll.co.kroE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comtnaoE6O5K1emC.exe, 00000000.00000003.649513321.00000000059DB000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.urwpp.deDPleaseoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comxoE6O5K1emC.exe, 00000000.00000003.649273531.00000000059DB000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cnioE6O5K1emC.exe, 00000000.00000003.651132859.00000000059C4000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designersnoE6O5K1emC.exe, 00000000.00000003.655634998.00000000059F5000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comasaoE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designerssoE6O5K1emC.exe, 00000000.00000003.655634998.00000000059F5000.00000004.00000001.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.carterandcone.comexcRoE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.galapagosdesign.com/oE6O5K1emC.exe, 00000000.00000003.656920941.00000000059CD000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comdoE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comgyoE6O5K1emC.exe, 00000000.00000003.651544478.00000000059FE000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comTCoE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comXoE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.coE6O5K1emC.exe, 00000000.00000003.650828055.00000000059C4000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/CoE6O5K1emC.exe, 00000000.00000003.656920941.00000000059CD000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sandoll.co.kreoE6O5K1emC.exe, 00000000.00000003.650167999.00000000059C6000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comXoE6O5K1emC.exe, 00000000.00000003.649256448.00000000059DB000.00000004.00000001.sdmpfalse
                                    		unknown
                                    http://www.carterandcone.comloE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/oE6O5K1emC.exe, 00000000.00000003.651132859.00000000059C4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cnoE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.650806583.00000000059FD000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.dewoE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.htmloE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comionmoE6O5K1emC.exe, 00000000.00000003.673968990.00000000059C0000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comnew=oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.founder.com.cn/cne-doE6O5K1emC.exe, 00000000.00000003.650806583.00000000059FD000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comFgoE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://en.w7oE6O5K1emC.exe, 00000000.00000003.649181303.00000000059DB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comsiefeqoE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comTCoooE6O5K1emC.exe, 00000000.00000003.652274217.00000000059FE000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/oE6O5K1emC.exe, 00000000.00000003.654419205.00000000059F5000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fonts.com-uoE6O5K1emC.exe, 00000000.00000003.649256448.00000000059DB000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.com~oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            79.134.225.30
                                            		unknownSwitzerland
                                            		6775FINK-TELECOM-SERVICESCHtrue

                                            General Information

                                            Joe Sandbox Version:31.0.0 Emerald
                                            Analysis ID:384479
                                            Start date:09.04.2021
                                            Start time:09:46:16
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 8m 31s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:oE6O5K1emC.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:23
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@8/12@0/1
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 2.3% (good quality ratio 1.8%)
                                            • Quality average: 51.1%
                                            • Quality standard deviation: 33.7%
                                            HCA Information:
                                            • Successful, ratio: 97%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                            • TCP Packets have been reduced to 100
                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            09:47:11API Interceptor1x Sleep call for process: oE6O5K1emC.exe modified
                                            09:47:18API Interceptor936x Sleep call for process: RegSvcs.exe modified
                                            09:47:20AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            79.134.225.30AIC7VMxudf.exeGet hashmaliciousBrowse
                                              Payment Confirmation.exeGet hashmaliciousBrowse
                                                JOIN.exeGet hashmaliciousBrowse
                                                  Itinerary.pdf.exeGet hashmaliciousBrowse
                                                    vVH0wIFYFd.exeGet hashmaliciousBrowse
                                                      GWee9QSphp.exeGet hashmaliciousBrowse
                                                        s7pnYY2USl.jarGet hashmaliciousBrowse
                                                          s7pnYY2USl.jarGet hashmaliciousBrowse
                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.dc.exeGet hashmaliciousBrowse
                                                              Import and Export Regulation.xlsxGet hashmaliciousBrowse
                                                                BBdzKOGQ36.exeGet hashmaliciousBrowse
                                                                  BL.exeGet hashmaliciousBrowse
                                                                    Payment Invoice.exeGet hashmaliciousBrowse
                                                                      Payment Invoice.pdf.exeGet hashmaliciousBrowse
                                                                        Inquiries_scan_011023783591374376585.exeGet hashmaliciousBrowse

                                                                          Domains

                                                                          No context

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          FINK-TELECOM-SERVICESCHzunUbtZ2Y3.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.40
                                                                          EASTERS.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.118
                                                                          LIST OF POEA DELISTED AGENCIES.pdf.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.9
                                                                          AWB.pdf.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.102
                                                                          AIC7VMxudf.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.30
                                                                          9mm case for ROYAL METAL INDUSTRIES 3milmonth Specification drawings.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.21
                                                                          PO50164.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.79
                                                                          Fast color scan to a PDFfile_1_20210331084231346.pdf.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.102
                                                                          n7dIHuG3v6.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.92
                                                                          F6JT4fXIAQ.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.92
                                                                          order_inquiry2094.xls.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.102
                                                                          5H957qLghX.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.25
                                                                          yBio5dWAOl.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.7
                                                                          wDIaJji4Vv.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.7
                                                                          DkZY1k3y9F.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.23
                                                                          hbvo9thTAX.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.7
                                                                          SCAN ORDER DOC 040202021.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.71
                                                                          Waybill Doc_pdf.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.92
                                                                          gfcYixSdyD.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.71
                                                                          cJtVGjtNGZ.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.40

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeGS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                                                            wDIaJji4Vv.exeGet hashmaliciousBrowse
                                                                              cJtVGjtNGZ.exeGet hashmaliciousBrowse
                                                                                Bilansno placanje.exeGet hashmaliciousBrowse
                                                                                  SecuriteInfo.com.Trojan.Inject4.9647.20479.exeGet hashmaliciousBrowse
                                                                                    wnIPBdB5OF.exeGet hashmaliciousBrowse
                                                                                      Delivery Form C.exeGet hashmaliciousBrowse
                                                                                        h6uc8EaDQX.exeGet hashmaliciousBrowse
                                                                                          3aDHivUqWtumbXb.exeGet hashmaliciousBrowse
                                                                                            fMy120EQiT6NaRd.exeGet hashmaliciousBrowse
                                                                                              SecuriteInfo.com.Variant.Bulz.394792.29952.exeGet hashmaliciousBrowse
                                                                                                SecuriteInfo.com.Trojan.PackedNET.578.18498.exeGet hashmaliciousBrowse
                                                                                                  sfTZCyMKuC.exeGet hashmaliciousBrowse
                                                                                                    y9Rtu1cnBk.exeGet hashmaliciousBrowse
                                                                                                      Ixli7b5j6A.exeGet hashmaliciousBrowse
                                                                                                        nq0aCrCXyE.exeGet hashmaliciousBrowse
                                                                                                          73SriHObnQ.exeGet hashmaliciousBrowse
                                                                                                            0672IMP000158021.pdf.exeGet hashmaliciousBrowse
                                                                                                              rb86llCYzA.exeGet hashmaliciousBrowse
                                                                                                                C3GWn5tduT.exeGet hashmaliciousBrowse

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):3.7515815714465193
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
                                                                                                                  MD5:71369277D09DA0830C8C59F9E22BB23A
                                                                                                                  SHA1:37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
                                                                                                                  SHA-256:D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
                                                                                                                  SHA-512:2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Joe Sandbox View:
                                                                                                                  • Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse
                                                                                                                  • Filename: wDIaJji4Vv.exe, Detection: malicious, Browse
                                                                                                                  • Filename: cJtVGjtNGZ.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Bilansno placanje.exe, Detection: malicious, Browse
                                                                                                                  • Filename: SecuriteInfo.com.Trojan.Inject4.9647.20479.exe, Detection: malicious, Browse
                                                                                                                  • Filename: wnIPBdB5OF.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Delivery Form C.exe, Detection: malicious, Browse
                                                                                                                  • Filename: h6uc8EaDQX.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 3aDHivUqWtumbXb.exe, Detection: malicious, Browse
                                                                                                                  • Filename: fMy120EQiT6NaRd.exe, Detection: malicious, Browse
                                                                                                                  • Filename: SecuriteInfo.com.Variant.Bulz.394792.29952.exe, Detection: malicious, Browse
                                                                                                                  • Filename: SecuriteInfo.com.Trojan.PackedNET.578.18498.exe, Detection: malicious, Browse
                                                                                                                  • Filename: sfTZCyMKuC.exe, Detection: malicious, Browse
                                                                                                                  • Filename: y9Rtu1cnBk.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Ixli7b5j6A.exe, Detection: malicious, Browse
                                                                                                                  • Filename: nq0aCrCXyE.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 73SriHObnQ.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 0672IMP000158021.pdf.exe, Detection: malicious, Browse
                                                                                                                  • Filename: rb86llCYzA.exe, Detection: malicious, Browse
                                                                                                                  • Filename: C3GWn5tduT.exe, Detection: malicious, Browse
                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):120
                                                                                                                  Entropy (8bit):5.016405576253028
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
                                                                                                                  MD5:50DEC1858E13F033E6DCA3CBFAD5E8DE
                                                                                                                  SHA1:79AE1E9131B0FAF215B499D2F7B4C595AA120925
                                                                                                                  SHA-256:14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
                                                                                                                  SHA-512:1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
                                                                                                                  Malicious:false
                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                  Preview: 1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\oE6O5K1emC.exe.log
                                                                                                                  Process:C:\Users\user\Desktop\oE6O5K1emC.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):664
                                                                                                                  Entropy (8bit):5.288448637977022
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                                                                                                  MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                                                                                                  SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                                                                                                  SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                                                                                                  SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                                                                                                  Malicious:true
                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                                                                                                                  C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp
                                                                                                                  Process:C:\Users\user\Desktop\oE6O5K1emC.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1647
                                                                                                                  Entropy (8bit):5.185753707490085
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBG6kbBtn:cbhK79lNQR/rydbz9I3YODOLNdq3Vkn
                                                                                                                  MD5:8691364F6187303B5A987AB904210902
                                                                                                                  SHA1:23A74D45BD4BD827501964713B23CBF891EFD72E
                                                                                                                  SHA-256:43D8999891D99A3D4406474CC11A627A59E769993069DE5E4240CCD5C9862841
                                                                                                                  SHA-512:9EA6FA83631DC1618B820EF9762C65128F5E148B2969165F1C39A0A590B0195EEB5F13D399BA09CDD9DCA1F8F0E30D361839F78350EF50555BA02F16D5142E3B
                                                                                                                  Malicious:true
                                                                                                                  Reputation:low
                                                                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1296
                                                                                                                  Entropy (8bit):7.012278113302776
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:IQnybgCyHJ5lQnybgCyHJ5lQnybgCyHJ5lQnybgCyHJ5lQnybgCyHJ5lQnybgCy6:IkR5lkR5lkR5lkR5lkR5lkR5i
                                                                                                                  MD5:383833878D639AB9D3EE3ADF842AC47F
                                                                                                                  SHA1:E873365BC70A3B3F0E4B2156478B5FC45FAA8098
                                                                                                                  SHA-256:DA0C5534BB335E6BDFFA15200AC4ED932500D425999D1200C855A48FF4483FB0
                                                                                                                  SHA-512:22117398C7BD9D74CBF8EF5B3CB3D259806A5B363DB85C3990B31EE51B647C7BD0E4F95FFBC5AAD060520E910FCB43817E56DEADA96781A8DF15B1EEA573DA9F
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.*2d.f... ..q.. 7iO.+..c.....!.'.*..mL|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.*2d.f... ..q.. 7iO.+..c.....!.'.*..mL|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.*2d.f... ..q.. 7iO.+..c.....!.'.*..mL|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.*2d.f... ..q.. 7iO.+..c.....!.'.*..mL|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.|........).zs...w.gl..\.G..J.M.vES.0....P.:..6..
                                                                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8
                                                                                                                  Entropy (8bit):3.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Q9tn:Q9t
                                                                                                                  MD5:8BACB37884A4AF96860567FB19A77E4C
                                                                                                                  SHA1:BBBE9A196EDA91481E15FC68C5AE337DED70E0A9
                                                                                                                  SHA-256:4391234F02BA7E0982E043C27997CD7046186ECC7329E798C3582657E5EF55AF
                                                                                                                  SHA-512:C51F23901A481F26B8AB5B85366E7899F76A15EFD1DB98B04CD68E2E1F38C9FAF325D2B91BB38C67B9C65F4853BAF91AC7AFED231FEED71AA5072EC7F872256C
                                                                                                                  Malicious:true
                                                                                                                  Preview: */..+..H
                                                                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):24
                                                                                                                  Entropy (8bit):4.501629167387823
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                                                                                                  MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                                                                                                  SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                                                                                                  SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                                                                                                  SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                                                                                                  Malicious:false
                                                                                                                  Preview: 9iH...}Z.4..f..J".C;"a
                                                                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):64
                                                                                                                  Entropy (8bit):5.320159765557392
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                                                                                                  MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                                                                                                  SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                                                                                                  SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                                                                                                  SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                                                                                                  Malicious:false
                                                                                                                  Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                                                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):426840
                                                                                                                  Entropy (8bit):7.999608491116724
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
                                                                                                                  MD5:963D5E2C9C0008DFF05518B47C367A7F
                                                                                                                  SHA1:C183D601FABBC9AC8FBFA0A0937DECC677535E74
                                                                                                                  SHA-256:5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
                                                                                                                  SHA-512:0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
                                                                                                                  Malicious:false
                                                                                                                  Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
                                                                                                                  C:\Users\user\AppData\Roaming\DKCbURUccsSVSl.exe
                                                                                                                  Process:C:\Users\user\Desktop\oE6O5K1emC.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1554944
                                                                                                                  Entropy (8bit):7.385331204380147
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:8ZHdBedlcA8hbbgPFbg3TwSxivyHOcq5pCkQha6g53oG4l2GfONmPr:uBedlv8hbbgPFbhGYDHJ6g545lpfi8
                                                                                                                  MD5:0CF0CD25346EE69B7E5AA8E366C886E9
                                                                                                                  SHA1:CA13E5BBC69F2D808139EE18EA5AD56579F8B003
                                                                                                                  SHA-256:F542BC0175168DAA808CE1448A019F88B058DF6D0702C6DAA4A0F83A481F2A5E
                                                                                                                  SHA-512:03DFE9E8D76C37AB36CFF64E569F22861C10BAADAFEDA98C6CD9400A17ECBD93B38DF885BAC7C9D4237C912796F9C2C2A163D360D4FF7D58A101F59E021D5219
                                                                                                                  Malicious:false
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.o`............................6.... ... ....@.. ....................... ............@.....................................W....@....................... ....................................................... ............... ..H............text...<.... ...................... ..`.reloc....... ......................@..B.rsrc........@......................@..@........................H...........o..........,...............................................z.(......}.....(....o ...}....*..*...0...........{......E............8...Z...u................*..}..... ].4S}......}.....*..}..... ..Q.}......}.....*..}......{.... Km.a}......}.....*..}..... ,...}......}.....*..}......{.... ..=.a}......}.....*..}..... ....}......}.....*..}..... "G.R}......}.....*..}.....*...{....*.s!...z.2.{.....f...*....0..<........{......3..{....(....o ...3...}......+..s.......{....}..
                                                                                                                  C:\Users\user\AppData\Roaming\DKCbURUccsSVSl.exe:Zone.Identifier
                                                                                                                  Process:C:\Users\user\Desktop\oE6O5K1emC.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):26
                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                  Malicious:false
                                                                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                  \Device\ConDrv
                                                                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1145
                                                                                                                  Entropy (8bit):4.462201512373672
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
                                                                                                                  MD5:46EBEB88876A00A52CC37B1F8E0D0438
                                                                                                                  SHA1:5E5DB352F964E5F398301662FF558BD905798A65
                                                                                                                  SHA-256:D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
                                                                                                                  SHA-512:E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
                                                                                                                  Malicious:false
                                                                                                                  Preview: Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Entropy (8bit):7.385331204380147
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                  File name:oE6O5K1emC.exe
                                                                                                                  File size:1554944
                                                                                                                  MD5:0cf0cd25346ee69b7e5aa8e366c886e9
                                                                                                                  SHA1:ca13e5bbc69f2d808139ee18ea5ad56579f8b003
                                                                                                                  SHA256:f542bc0175168daa808ce1448a019f88b058df6d0702c6daa4a0f83a481f2a5e
                                                                                                                  SHA512:03dfe9e8d76c37ab36cff64e569f22861c10baadafeda98c6cd9400a17ecbd93b38df885bac7c9d4237c912796f9c2c2a163d360d4ff7d58a101f59e021d5219
                                                                                                                  SSDEEP:24576:8ZHdBedlcA8hbbgPFbg3TwSxivyHOcq5pCkQha6g53oG4l2GfONmPr:uBedlv8hbbgPFbhGYDHJ6g545lpfi8
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.o`............................6.... ... ....@.. ....................... ............@................................

                                                                                                                  File Icon

                                                                                                                  Icon Hash:f0cef27270b2ce70

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x560836
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                  Time Stamp:0x606FFB50 [Fri Apr 9 06:59:28 2021 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:v2.0.50727
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1607dc0x57.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1640000x1cacc.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1620000xc.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x20000x15e83c0x15ea00False0.646118120544Applesoft BASIC program data, first line number 227.5082657765IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x1620000xc0x200False0.044921875data0.0776331623432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0x1640000x1cacc0x1cc00False0.35202955163data4.73788431456IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                  RT_ICON0x1642200x4228dBase III DBT, version number 0, next free block index 40
                                                                                                                  RT_ICON0x1684480x10a8data
                                                                                                                  RT_ICON0x1694f00x25a8data
                                                                                                                  RT_ICON0x16ba980x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
                                                                                                                  RT_ICON0x16fcc00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 16777216, next used block 16777216
                                                                                                                  RT_GROUP_ICON0x1804e80x14data
                                                                                                                  RT_GROUP_ICON0x1804fc0x4cdata
                                                                                                                  RT_VERSION0x1805480x338data
                                                                                                                  RT_MANIFEST0x1808800x249XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                  Version Infos

                                                                                                                  DescriptionData
                                                                                                                  Translation0x0000 0x04b0
                                                                                                                  LegalCopyrightCopyright Northern Star
                                                                                                                  Assembly Version2.1.0.8
                                                                                                                  InternalNameSafeBuffer.exe
                                                                                                                  FileVersion2.1.0.8
                                                                                                                  CompanyNameNorthern Star
                                                                                                                  LegalTrademarks
                                                                                                                  Comments
                                                                                                                  ProductNameMDM
                                                                                                                  ProductVersion2.1.0.8
                                                                                                                  FileDescriptionMDM
                                                                                                                  OriginalFilenameSafeBuffer.exe

                                                                                                                  Network Behavior

                                                                                                                  Snort IDS Alerts

                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                  04/09/21-09:47:19.737316TCP2025019ET TROJAN Possible NanoCore C2 60B497271144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:47:27.294035TCP2025019ET TROJAN Possible NanoCore C2 60B497361144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:47:33.578124TCP2025019ET TROJAN Possible NanoCore C2 60B497431144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:47:39.889240TCP2025019ET TROJAN Possible NanoCore C2 60B497451144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:47:46.602499TCP2025019ET TROJAN Possible NanoCore C2 60B497471144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:47:52.785449TCP2025019ET TROJAN Possible NanoCore C2 60B497481144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:47:59.259086TCP2025019ET TROJAN Possible NanoCore C2 60B497501144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:48:05.484805TCP2025019ET TROJAN Possible NanoCore C2 60B497581144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:48:11.811392TCP2025019ET TROJAN Possible NanoCore C2 60B497601144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:48:17.958802TCP2025019ET TROJAN Possible NanoCore C2 60B497611144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:48:24.238559TCP2025019ET TROJAN Possible NanoCore C2 60B497621144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:48:30.288193TCP2025019ET TROJAN Possible NanoCore C2 60B497631144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:48:36.397083TCP2025019ET TROJAN Possible NanoCore C2 60B497661144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:48:42.401372TCP2025019ET TROJAN Possible NanoCore C2 60B497681144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:48:48.419509TCP2025019ET TROJAN Possible NanoCore C2 60B497741144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:48:54.493298TCP2025019ET TROJAN Possible NanoCore C2 60B497751144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:49:00.548310TCP2025019ET TROJAN Possible NanoCore C2 60B497761144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:49:06.594824TCP2025019ET TROJAN Possible NanoCore C2 60B497771144192.168.2.479.134.225.30
                                                                                                                  04/09/21-09:49:12.597526TCP2025019ET TROJAN Possible NanoCore C2 60B497781144192.168.2.479.134.225.30

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Apr 9, 2021 09:47:19.387187004 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:19.569410086 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:19.570259094 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:19.737315893 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:19.953636885 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:19.988003016 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:20.082568884 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.082724094 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:20.206301928 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.206500053 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:20.307507992 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.389694929 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.389797926 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:20.605148077 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.605645895 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:20.828927040 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.829598904 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:20.881007910 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.881432056 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:20.882491112 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.882616997 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.882684946 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:20.883604050 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.885317087 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.885413885 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:20.885556936 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.885907888 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.885955095 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:20.887207985 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.887270927 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:20.887959003 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.888298988 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:20.888351917 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.051882029 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.075663090 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.089603901 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.090198994 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.090348959 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.090464115 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.091731071 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.091831923 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.093956947 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.094014883 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.094084978 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.094121933 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.094146013 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.095455885 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.100219011 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.100867987 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.100920916 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.100979090 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.101022959 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.101886988 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.103204966 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.103307962 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.104449034 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.104614973 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.104712009 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.105263948 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.105859995 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.109786987 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.115653038 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.115708113 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.115840912 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.151675940 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.278796911 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.280217886 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.280369043 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.288764954 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.288822889 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.289503098 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.297285080 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.297326088 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.297487020 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.297586918 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.298300028 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.298979044 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.299038887 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.300040007 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.300153971 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.303910017 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.304107904 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.304913998 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.305011988 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.305495977 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.305567026 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.305697918 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.305702925 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.305758953 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.307041883 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.307765961 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.307977915 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.308029890 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.308058977 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.317260027 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.317495108 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.317498922 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.317555904 CEST497271144192.168.2.479.134.225.30
                                                                                                                  Apr 9, 2021 09:47:21.317639112 CEST11444972779.134.225.30192.168.2.4
                                                                                                                  Apr 9, 2021 09:47:21.317718029 CEST11444972779.134.225.30192.168.2.4

                                                                                                                  Code Manipulations

                                                                                                                  Statistics

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  Analysis Process: oE6O5K1emC.exe PID: 6360 Parent PID: 5940

                                                                                                                  General

                                                                                                                  Start time:09:47:04
                                                                                                                  Start date:09/04/2021
                                                                                                                  Path:C:\Users\user\Desktop\oE6O5K1emC.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\Desktop\oE6O5K1emC.exe'
                                                                                                                  Imagebase:0xde0000
                                                                                                                  File size:1554944 bytes
                                                                                                                  MD5 hash:0CF0CD25346EE69B7E5AA8E366C886E9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                  Reputation:low

                                                                                                                  Analysis Process: schtasks.exe PID: 6456 Parent PID: 6360

                                                                                                                  General

                                                                                                                  Start time:09:47:15
                                                                                                                  Start date:09/04/2021
                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp'
                                                                                                                  Imagebase:0xf70000
                                                                                                                  File size:185856 bytes
                                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Analysis Process: conhost.exe PID: 6464 Parent PID: 6456

                                                                                                                  General

                                                                                                                  Start time:09:47:16
                                                                                                                  Start date:09/04/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff724c50000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Analysis Process: RegSvcs.exe PID: 6500 Parent PID: 6360

                                                                                                                  General

                                                                                                                  Start time:09:47:16
                                                                                                                  Start date:09/04/2021
                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                  Imagebase:0x30000
                                                                                                                  File size:32768 bytes
                                                                                                                  MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Reputation:moderate

                                                                                                                  Analysis Process: dhcpmon.exe PID: 7024 Parent PID: 3424

                                                                                                                  General

                                                                                                                  Start time:09:47:29
                                                                                                                  Start date:09/04/2021
                                                                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                                                                  Imagebase:0xdc0000
                                                                                                                  File size:32768 bytes
                                                                                                                  MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 0%, Metadefender, Browse
                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                  Reputation:moderate

                                                                                                                  Analysis Process: conhost.exe PID: 7032 Parent PID: 7024

                                                                                                                  General

                                                                                                                  Start time:09:47:29
                                                                                                                  Start date:09/04/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff724c50000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Disassembly

                                                                                                                  Code Analysis

                                                                                                                  Reset < >