Analysis Report PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe

Overview

General Information

Sample Name: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Analysis ID: 402742
MD5: e10c403a6eec866d5772812c5edcc0a7
SHA1: 8c1d7ee58c5c767b58a01425b8584a3f9abf9c52
SHA256: 9741ab464f2da0ec1effb39154615874073ccd368f77260b865c7fa7acd123b0
Tags: exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected Nanocore RAT
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Avira: detection malicious, Label: TR/Spy.Gen8
Found malware configuration
Source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "098e4f4f-7679-4607-961c-79d0e067", "Group": "NEW", "Domain1": "79.134.225.91", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Source: 18.2.explorers.exe.449ec58.5.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "aammorris@askoblue.comhbqtHu^3smtp.privateemail.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\AMRAW.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Roaming\explorers.exe ReversingLabs: Detection: 12%
Multi AV Scanner detection for submitted file
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Virustotal: Detection: 30% Perma Link
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe ReversingLabs: Detection: 12%
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 24.2.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.2.InstallUtil.exe.6860000.10.unpack Avira: Label: TR/NanoCore.fadte

Compliance:

barindex
Uses 32bit PE files
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.294278895.0000000006C5B000.00000004.00000001.sdmp, InstallUtil.exe, 00000018.00000002.502166610.0000000000F22000.00000002.00020000.sdmp, InstallUtil.exe, 0000001E.00000002.408974814.0000000000962000.00000002.00020000.sdmp, dhcpmon.exe, 00000020.00000000.410937467.0000000000F92000.00000002.00020000.sdmp, dhcpmon.exe, 00000025.00000002.427799848.00000000004D2000.00000002.00020000.sdmp, dhcpmon.exe.24.dr
Source: Binary string: InstallUtil.pdb source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.294278895.0000000006C5B000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe, 0000001E.00000002.408974814.0000000000962000.00000002.00020000.sdmp, dhcpmon.exe, 00000020.00000000.410937467.0000000000F92000.00000002.00020000.sdmp, dhcpmon.exe, 00000025.00000002.427799848.00000000004D2000.00000002.00020000.sdmp, dhcpmon.exe.24.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 18_2_0705195A
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 4x nop then jmp 070A3FC8h 18_2_070A3741
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 18_2_070A920C
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 18_2_070A8C40
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 4x nop then push dword ptr [ebp-24h] 18_2_070A9A20
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 18_2_070A9A20
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 4x nop then xor edx, edx 18_2_070A9958
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 4x nop then push dword ptr [ebp-20h] 18_2_070A9700
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 18_2_070A9700
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 4x nop then push dword ptr [ebp-20h] 18_2_070A96F4
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 18_2_070A96F4
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 18_2_070A921C

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: 79.134.225.91
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49731 -> 79.134.225.91:4488
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.134.225.91 79.134.225.91
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: AMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: AMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: AMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp String found in binary or memory: http://RnGcYy.com
Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmp String found in binary or memory: http://crl.m
Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: explorers.exe, 00000010.00000002.325205643.0000000002F8B000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmp String found in binary or memory: http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0
Source: explorers.exe, 00000010.00000002.325205643.0000000002F8B000.00000004.00000001.sdmp String found in binary or memory: http://dual-a-0001.dc-msedge.net
Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmp String found in binary or memory: http://microsoft.co
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.252898213.0000000006A9E000.00000004.00000001.sdmp, explorers.exe, 00000012.00000003.340839616.00000000074DE000.00000004.00000001.sdmp String found in binary or memory: http://ns.adb
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.317216543.0000000006AA5000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.253905713.0000000006A9E000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/13
Source: explorers.exe, 00000012.00000003.342639154.00000000074DE000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1~n
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.324521004.0000000006A9E000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.253905713.0000000006A9E000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g3
Source: explorers.exe, 00000012.00000003.342639154.00000000074DE000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g~n
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.317216543.0000000006AA5000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.253905713.0000000006A9E000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj3
Source: explorers.exe, 00000012.00000003.342639154.00000000074DE000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj~n
Source: explorers.exe, 00000010.00000002.325205643.0000000002F8B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: explorers.exe, 00000010.00000002.325205643.0000000002F8B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.318888486.00000000028F6000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325102537.0000000002F57000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325161813.0000000002F74000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.508721871.000000000334F000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.318817394.00000000028B1000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325409490.000000000304C000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.508550385.0000000003321000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorers.exe, 00000010.00000002.325102537.0000000002F57000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com
Source: AMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.318817394.00000000028B1000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325032884.0000000002F21000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.508550385.0000000003321000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.318817394.00000000028B1000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325409490.000000000304C000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.508550385.0000000003321000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, AMRAW.exe, AMRAW.exe.18.dr String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: AMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: explorers.exe, 00000010.00000002.324175270.0000000001288000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Window created: window name: CLIPBRDWNDCLASS
Installs a raw input device (often for capturing keystrokes)
Source: InstallUtil.exe, 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.519019772.0000000005E20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.34d4f84.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.InstallUtil.exe.5e20000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
.NET source code contains very large array initializations
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, Cr2/Za1.cs Large array initialization: .cctor: array initializer size 5470
Source: explorers.exe.0.dr, Cr2/Za1.cs Large array initialization: .cctor: array initializer size 5470
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.2f0000.0.unpack, Cr2/Za1.cs Large array initialization: .cctor: array initializer size 5470
Source: 0.0.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.2f0000.0.unpack, Cr2/Za1.cs Large array initialization: .cctor: array initializer size 5470
Source: 16.0.explorers.exe.ab0000.0.unpack, Cr2/Za1.cs Large array initialization: .cctor: array initializer size 5470
Source: 16.2.explorers.exe.ab0000.0.unpack, Cr2/Za1.cs Large array initialization: .cctor: array initializer size 5470
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_07054D94 CreateProcessAsUserW, 18_2_07054D94
Detected potential crypto function
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Code function: 0_2_00EDC8B0 0_2_00EDC8B0
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Code function: 0_2_00EDA038 0_2_00EDA038
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 16_2_02DBD2E0 16_2_02DBD2E0
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 16_2_06DF165A 16_2_06DF165A
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 16_2_06DF1FD0 16_2_06DF1FD0
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 16_2_06DF1FC1 16_2_06DF1FC1
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_0171C8B0 18_2_0171C8B0
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_07056EF0 18_2_07056EF0
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_07054401 18_2_07054401
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_07055BC9 18_2_07055BC9
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_070589B2 18_2_070589B2
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_0705B05A 18_2_0705B05A
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_070550D0 18_2_070550D0
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_070590E0 18_2_070590E0
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_0705D8F8 18_2_0705D8F8
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_0705C7B0 18_2_0705C7B0
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_0705A7CF 18_2_0705A7CF
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_0705A7E0 18_2_0705A7E0
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_0705E528 18_2_0705E528
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_07051CA8 18_2_07051CA8
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_07051CB8 18_2_07051CB8
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_0705A358 18_2_0705A358
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_0705A368 18_2_0705A368
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_0705BAF0 18_2_0705BAF0
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_070A3741 18_2_070A3741
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_070A1FD0 18_2_070A1FD0
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_070AA778 18_2_070AA778
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_070AA788 18_2_070AA788
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_070A44E7 18_2_070A44E7
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_070A44F8 18_2_070A44F8
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_070AA1C8 18_2_070AA1C8
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_070AA1D8 18_2_070AA1D8
Source: C:\Users\user\AppData\Roaming\explorers.exe Code function: 18_2_070A1FCB 18_2_070A1FCB
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Code function: 23_2_001D2296 23_2_001D2296
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Code function: 23_2_001D5800 23_2_001D5800
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Code function: 23_2_026746A0 23_2_026746A0
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Code function: 23_2_02674672 23_2_02674672
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Code function: 23_2_02674690 23_2_02674690
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Code function: 23_2_0267D2EB 23_2_0267D2EB
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_00F220B0 24_2_00F220B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0581E480 24_2_0581E480
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0581E471 24_2_0581E471
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_0581BBD4 24_2_0581BBD4
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 24_2_06D20040 24_2_06D20040
Sample file is different than original file name gathered from version info
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamehCnYoxwadYHoTJqQhthGLP.exe4 vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.322822101.0000000005870000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.324024093.00000000065C0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.324299380.0000000006850000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.324299380.0000000006850000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000000.230265238.00000000003F0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStudent Dashboard.exeD vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.324926067.0000000006EB0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.294278895.0000000006C5B000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInstallUtil.exeT vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.323772465.00000000062C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Binary or memory string: OriginalFilenameStudent Dashboard.exeD vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Uses 32bit PE files
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe'
Yara signature match
Source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.519019772.0000000005E20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.519019772.0000000005E20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.34d4f84.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.34d4f84.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.InstallUtil.exe.5e20000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.5e20000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.troj.evad.winEXE@25/16@0/1
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Program Files (x86)\DHCP Monitor
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe File created: C:\Users\user\AppData\Roaming\explorers.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{098e4f4f-7679-4607-961c-79d0e06713b4}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3584:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_01
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\AMRAW.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Virustotal: Detection: 30%
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe ReversingLabs: Detection: 12%
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe File read: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe 'C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe'
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\explorers.exe 'C:\Users\user\AppData\Roaming\explorers.exe'
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process created: C:\Users\user\AppData\Roaming\explorers.exe 'C:\Users\user\AppData\Roaming\explorers.exe'
Source: C:\Users\user\AppData\Roaming\explorers.exe Process created: C:\Users\user\AppData\Roaming\AMRAW.exe 'C:\Users\user\AppData\Roaming\AMRAW.exe'
Source: C:\Users\user\AppData\Roaming\explorers.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE914.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe 0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process created: C:\Users\user\AppData\Roaming\explorers.exe 'C:\Users\user\AppData\Roaming\explorers.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process created: C:\Users\user\AppData\Roaming\AMRAW.exe 'C:\Users\user\AppData\Roaming\AMRAW.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp'
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE914.tmp'
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Static file information: File size 1089024 > 1048576
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.294278895.0000000006C5B000.00000004.00000001.sdmp, InstallUtil.exe, 00000018.00000002.502166610.0000000000F22000.00000002.00020000.sdmp, InstallUtil.exe, 0000001E.00000002.408974814.0000000000962000.00000002.00020000.sdmp, dhcpmon.exe, 00000020.00000000.410937467.0000000000F92000.00000002.00020000.sdmp, dhcpmon.exe, 00000025.00000002.427799848.00000000004D2000.00000002.00020000.sdmp, dhcpmon.exe.24.dr
Source: Binary string: InstallUtil.pdb source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.294278895.0000000006C5B000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe, 0000001E.00000002.408974814.0000000000962000.00000002.00020000.sdmp, dhcpmon.exe, 00000020.00000000.410937467.0000000000F92000.00000002.00020000.sdmp, dhcpmon.exe, 00000025.00000002.427799848.00000000004D2000.00000002.00020000.sdmp, dhcpmon.exe.24.dr
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, Az7/o1M.cs High entropy of concatenated method names: '.ctor', 'Ap3', 'Mp4', 'd4G', 'z3X', 'Wx4', 'Nk2', 'Kb6', 'b9C', 'Az3'
Source: explorers.exe.0.dr, Az7/o1M.cs High entropy of concatenated method names: '.ctor', 'Ap3', 'Mp4', 'd4G', 'z3X', 'Wx4', 'Nk2', 'Kb6', 'b9C', 'Az3'
Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.2f0000.0.unpack, Az7/o1M.cs High entropy of concatenated method names: '.ctor', 'Ap3', 'Mp4', 'd4G', 'z3X', 'Wx4', 'Nk2', 'Kb6', 'b9C', 'Az3'
Source: 0.0.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.2f0000.0.unpack, Az7/o1M.cs High entropy of concatenated method names: '.ctor', 'Ap3', 'Mp4', 'd4G', 'z3X', 'Wx4', 'Nk2', 'Kb6', 'b9C', 'Az3'
Source: 16.0.explorers.exe.ab0000.0.unpack, Az7/o1M.cs High entropy of concatenated method names: '.ctor', 'Ap3', 'Mp4', 'd4G', 'z3X', 'Wx4', 'Nk2', 'Kb6', 'b9C', 'Az3'
Source: 16.2.explorers.exe.ab0000.0.unpack, Az7/o1M.cs High entropy of concatenated method names: '.ctor', 'Ap3', 'Mp4', 'd4G', 'z3X', 'Wx4', 'Nk2', 'Kb6', 'b9C', 'Az3'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Roaming\explorers.exe File created: C:\Users\user\AppData\Roaming\AMRAW.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe File created: C:\Users\user\AppData\Roaming\explorers.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp'
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run explorers Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run explorers Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe File opened: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe File opened: C:\Users\user\AppData\Roaming\explorers.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Temp\InstallUtil.exe:Zone.Identifier read attributes | delete
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\AMRAW.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\AMRAW.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Roaming\explorers.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Code function: 0_2_002FB277 sldt word ptr [eax] 0_2_002FB277
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Window / User API: threadDelayed 4032 Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Window / User API: threadDelayed 4716 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Window / User API: threadDelayed 971 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Window / User API: threadDelayed 8439 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Window / User API: threadDelayed 4699
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Window / User API: threadDelayed 5089
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 6072
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 3375
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe TID: 6416 Thread sleep time: -22136092888451448s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe TID: 6364 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe TID: 6344 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 6164 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 6172 Thread sleep count: 203 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 6180 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 996 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 5904 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 6764 Thread sleep count: 971 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 6764 Thread sleep count: 8439 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 5904 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 5424 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 5424 Thread sleep time: -42000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\AMRAW.exe TID: 5480 Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\AMRAW.exe TID: 5484 Thread sleep count: 4699 > 30
Source: C:\Users\user\AppData\Roaming\AMRAW.exe TID: 5484 Thread sleep count: 5089 > 30
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5320 Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5324 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2968 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6404 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\AMRAW.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.322822101.0000000005870000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.261887558.0000000003140000.00000002.00000001.sdmp, explorers.exe, 00000012.00000002.521302611.0000000006300000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.513594779.00000000057B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.519826800.0000000007230000.00000002.00000001.sdmp, InstallUtil.exe, 0000001E.00000002.414524337.0000000005470000.00000002.00000001.sdmp, dhcpmon.exe, 00000020.00000002.415529696.0000000005970000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.322822101.0000000005870000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.261887558.0000000003140000.00000002.00000001.sdmp, explorers.exe, 00000012.00000002.521302611.0000000006300000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.513594779.00000000057B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.519826800.0000000007230000.00000002.00000001.sdmp, InstallUtil.exe, 0000001E.00000002.414524337.0000000005470000.00000002.00000001.sdmp, dhcpmon.exe, 00000020.00000002.415529696.0000000005970000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.322822101.0000000005870000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.261887558.0000000003140000.00000002.00000001.sdmp, explorers.exe, 00000012.00000002.521302611.0000000006300000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.513594779.00000000057B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.519826800.0000000007230000.00000002.00000001.sdmp, InstallUtil.exe, 0000001E.00000002.414524337.0000000005470000.00000002.00000001.sdmp, dhcpmon.exe, 00000020.00000002.415529696.0000000005970000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorers.exe, 00000010.00000002.324256328.00000000012BF000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.322822101.0000000005870000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.261887558.0000000003140000.00000002.00000001.sdmp, explorers.exe, 00000012.00000002.521302611.0000000006300000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.513594779.00000000057B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.519826800.0000000007230000.00000002.00000001.sdmp, InstallUtil.exe, 0000001E.00000002.414524337.0000000005470000.00000002.00000001.sdmp, dhcpmon.exe, 00000020.00000002.415529696.0000000005970000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Code function: 0_2_00EDCE38 LdrInitializeThunk, 0_2_00EDCE38
Enables debug privileges
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\explorers.exe Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\explorers.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\explorers.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 10E1008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Process created: C:\Users\user\AppData\Roaming\explorers.exe 'C:\Users\user\AppData\Roaming\explorers.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process created: C:\Users\user\AppData\Roaming\AMRAW.exe 'C:\Users\user\AppData\Roaming\AMRAW.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp'
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE914.tmp'
Source: InstallUtil.exe, 00000018.00000002.519680711.0000000006E6E000.00000004.00000001.sdmp Binary or memory string: Program Manager(
Source: InstallUtil.exe, 00000018.00000002.508373194.0000000003575000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: explorers.exe, 00000012.00000002.507857745.0000000001CC0000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.506827435.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.507421656.0000000001D20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorers.exe, 00000012.00000002.507857745.0000000001CC0000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.506827435.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.507421656.0000000001D20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorers.exe, 00000012.00000002.507857745.0000000001CC0000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.506827435.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.507421656.0000000001D20000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: InstallUtil.exe, 00000018.00000002.508395811.0000000003577000.00000004.00000001.sdmp Binary or memory string: Program Managern.no
Source: InstallUtil.exe, 00000018.00000002.519181612.000000000673D000.00000004.00000001.sdmp Binary or memory string: Program Manager 4L
Source: InstallUtil.exe, 00000018.00000002.520076135.000000000745E000.00000004.00000001.sdmp Binary or memory string: Program Manager(OX
Source: explorers.exe, 00000012.00000002.507857745.0000000001CC0000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.506827435.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.507421656.0000000001D20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorers.exe, 00000012.00000002.507857745.0000000001CC0000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.506827435.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.507421656.0000000001D20000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Queries volume information: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Users\user\AppData\Roaming\explorers.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Users\user\AppData\Roaming\explorers.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorers.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Queries volume information: C:\Users\user\AppData\Roaming\AMRAW.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AMRAW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.501590109.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312118610.0000000003B94000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.388004677.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.391098389.0000000004603000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\AMRAW.exe, type: DROPPED
Source: Yara match File source: 23.0.AMRAW.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.explorers.exe.4615b59.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.AMRAW.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.395dac1.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.449ec58.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.43ccb59.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3a2fbc0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.43ccb59.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3a2fbc0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.explorers.exe.4615b59.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3ba6ac1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.395dac1.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.449ec58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3ba6ac1.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45acaa9.6.unpack, type: UNPACKEDPE
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE
Yara detected Credential Stealer
Source: Yara match File source: 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: explorers.exe, 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000018.00000002.508019913.0000000003481000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.501590109.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312118610.0000000003B94000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.388004677.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.391098389.0000000004603000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\AMRAW.exe, type: DROPPED
Source: Yara match File source: 23.0.AMRAW.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.explorers.exe.4615b59.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.AMRAW.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.395dac1.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.449ec58.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.43ccb59.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3a2fbc0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.43ccb59.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3a2fbc0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.explorers.exe.4615b59.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3ba6ac1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.395dac1.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.449ec58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3ba6ac1.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45acaa9.6.unpack, type: UNPACKEDPE
Yara detected Nanocore RAT
Source: Yara match File source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402742 Sample: PO#KV18RE001_A5491NGOCQUANG... Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 74 8 other signatures 2->74 9 PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe 15 7 2->9         started        13 explorers.exe 14 3 2->13         started        15 InstallUtil.exe 2->15         started        17 2 other processes 2->17 process3 file4 58 C:\Users\user\AppData\Roaming\explorers.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\...\InstallUtil.exe, PE32 9->60 dropped 62 C:\Users\...\explorers.exe:Zone.Identifier, ASCII 9->62 dropped 64 PO#KV18RE001_A5491...IONSERVICE5.exe.log, ASCII 9->64 dropped 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->84 19 explorers.exe 4 9->19         started        23 cmd.exe 1 9->23         started        86 Multi AV Scanner detection for dropped file 13->86 25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        signatures5 process6 file7 50 C:\Users\user\AppData\Roaming\AMRAW.exe, PE32 19->50 dropped 76 Writes to foreign memory regions 19->76 78 Allocates memory in foreign processes 19->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->80 82 Injects a PE file into a foreign processes 19->82 31 AMRAW.exe 19->31         started        34 InstallUtil.exe 19->34         started        38 conhost.exe 23->38         started        40 reg.exe 1 1 23->40         started        signatures8 process9 dnsIp10 88 Antivirus detection for dropped file 31->88 90 Multi AV Scanner detection for dropped file 31->90 92 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->92 98 2 other signatures 31->98 66 79.134.225.91, 4488, 49731, 49732 FINK-TELECOM-SERVICESCH Switzerland 34->66 52 C:\Users\user\AppData\Roaming\...\run.dat, data 34->52 dropped 54 C:\Users\user\AppData\Local\...\tmpE599.tmp, XML 34->54 dropped 56 C:\Program Files (x86)\...\dhcpmon.exe, PE32 34->56 dropped 94 Uses schtasks.exe or at.exe to add and modify task schedules 34->94 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->96 42 schtasks.exe 34->42         started        44 schtasks.exe 34->44         started        file11 signatures12 process13 process14 46 conhost.exe 42->46         started        48 conhost.exe 44->48         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.134.225.91
 unknown Switzerland
6775 FINK-TELECOM-SERVICESCH true

Contacted URLs

Name Malicious Antivirus Detection Reputation
true
  • Avira URL Cloud: safe
 low
79.134.225.91 true
  • Avira URL Cloud: safe
 unknown