Loading ...

Play interactive tourEdit tour

Analysis Report PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe

Overview

General Information

Sample Name:PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
Analysis ID:402742
MD5:e10c403a6eec866d5772812c5edcc0a7
SHA1:8c1d7ee58c5c767b58a01425b8584a3f9abf9c52
SHA256:9741ab464f2da0ec1effb39154615874073ccd368f77260b865c7fa7acd123b0
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected Nanocore RAT
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe (PID: 6308 cmdline: 'C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe' MD5: E10C403A6EEC866D5772812C5EDCC0A7)
    • cmd.exe (PID: 6700 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 6792 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • explorers.exe (PID: 4496 cmdline: 'C:\Users\user\AppData\Roaming\explorers.exe' MD5: E10C403A6EEC866D5772812C5EDCC0A7)
      • AMRAW.exe (PID: 4632 cmdline: 'C:\Users\user\AppData\Roaming\AMRAW.exe' MD5: 9DD5E6B584F3AF71756DE02F45B4E0C8)
      • InstallUtil.exe (PID: 5652 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
        • schtasks.exe (PID: 6336 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6976 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE914.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • explorers.exe (PID: 5636 cmdline: 'C:\Users\user\AppData\Roaming\explorers.exe' MD5: E10C403A6EEC866D5772812C5EDCC0A7)
  • InstallUtil.exe (PID: 4276 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 0 MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 3584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5348 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6300 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "098e4f4f-7679-4607-961c-79d0e067", "Group": "NEW", "Domain1": "79.134.225.91", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "aammorris@askoblue.comhbqtHu^3smtp.privateemail.com"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\AMRAW.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1101f:$x1: NanoCore.ClientPluginHost
    • 0x1105c:$x2: IClientNetworkHost
    • 0x14b8f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x10d87:$a: NanoCore
        • 0x10d97:$a: NanoCore
        • 0x10fcb:$a: NanoCore
        • 0x10fdf:$a: NanoCore
        • 0x1101f:$a: NanoCore
        • 0x10de6:$b: ClientPlugin
        • 0x10fe8:$b: ClientPlugin
        • 0x11028:$b: ClientPlugin
        • 0x10f0d:$c: ProjectData
        • 0x6374d:$c: ProjectData
        • 0x11914:$d: DESCrypto
        • 0x6527f:$d: DESCrypto
        • 0x192e0:$e: KeepAlive
        • 0x643df:$e: KeepAlive
        • 0x172ce:$g: LogClientMessage
        • 0x134c9:$i: get_Connected
        • 0x63930:$i: get_Connected
        • 0x11c4a:$j: #=q
        • 0x11c7a:$j: #=q
        • 0x11c96:$j: #=q
        • 0x11cc6:$j: #=q
        00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xf7ad:$x1: NanoCore.ClientPluginHost
        • 0xf7da:$x2: IClientNetworkHost
        Click to see the 49 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          • 0x1643c:$g: LogClientMessage
          • 0x12637:$i: get_Connected
          • 0x10db8:$j: #=q
          • 0x10de8:$j: #=q
          • 0x10e04:$j: #=q
          • 0x10e34:$j: #=q
          • 0x10e50:$j: #=q
          • 0x10e6c:$j: #=q
          • 0x10e9c:$j: #=q
          • 0x10eb8:$j: #=q
          0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe38d:$x1: NanoCore.ClientPluginHost
          • 0xe3ca:$x2: IClientNetworkHost
          • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          Click to see the 107 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5652, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentImage: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentProcessId: 5652, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp', ProcessId: 6336

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeAvira: detection malicious, Label: TR/Spy.Gen8
          Found malware configurationShow sources
          Source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "098e4f4f-7679-4607-961c-79d0e067", "Group": "NEW", "Domain1": "79.134.225.91", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
          Source: 18.2.explorers.exe.449ec58.5.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "aammorris@askoblue.comhbqtHu^3smtp.privateemail.com"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeReversingLabs: Detection: 82%
          Source: C:\Users\user\AppData\Roaming\explorers.exeReversingLabs: Detection: 12%
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeVirustotal: Detection: 30%Perma Link
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeReversingLabs: Detection: 12%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeJoe Sandbox ML: detected
          Source: 24.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 24.2.InstallUtil.exe.6860000.10.unpackAvira: Label: TR/NanoCore.fadte
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.294278895.0000000006C5B000.00000004.00000001.sdmp, InstallUtil.exe, 00000018.00000002.502166610.0000000000F22000.00000002.00020000.sdmp, InstallUtil.exe, 0000001E.00000002.408974814.0000000000962000.00000002.00020000.sdmp, dhcpmon.exe, 00000020.00000000.410937467.0000000000F92000.00000002.00020000.sdmp, dhcpmon.exe, 00000025.00000002.427799848.00000000004D2000.00000002.00020000.sdmp, dhcpmon.exe.24.dr
          Source: Binary string: InstallUtil.pdb source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.294278895.0000000006C5B000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe, 0000001E.00000002.408974814.0000000000962000.00000002.00020000.sdmp, dhcpmon.exe, 00000020.00000000.410937467.0000000000F92000.00000002.00020000.sdmp, dhcpmon.exe, 00000025.00000002.427799848.00000000004D2000.00000002.00020000.sdmp, dhcpmon.exe.24.dr
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 4x nop then jmp 070A3FC8h
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 4x nop then push dword ptr [ebp-24h]
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 4x nop then push dword ptr [ebp-20h]
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 4x nop then push dword ptr [ebp-20h]
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs:
          Source: Malware configuration extractorURLs: 79.134.225.91
          Source: global trafficTCP traffic: 192.168.2.5:49731 -> 79.134.225.91:4488
          Source: Joe Sandbox ViewIP Address: 79.134.225.91 79.134.225.91
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.91
          Source: AMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: AMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
          Source: AMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmpString found in binary or memory: http://RnGcYy.com
          Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpString found in binary or memory: http://crl.m
          Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
          Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
          Source: explorers.exe, 00000010.00000002.325205643.0000000002F8B000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0
          Source: explorers.exe, 00000010.00000002.325205643.0000000002F8B000.00000004.00000001.sdmpString found in binary or memory: http://dual-a-0001.dc-msedge.net
          Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpString found in binary or memory: http://microsoft.co
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.252898213.0000000006A9E000.00000004.00000001.sdmp, explorers.exe, 00000012.00000003.340839616.00000000074DE000.00000004.00000001.sdmpString found in binary or memory: http://ns.adb
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.317216543.0000000006AA5000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.253905713.0000000006A9E000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/13
          Source: explorers.exe, 00000012.00000003.342639154.00000000074DE000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1~n
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.324521004.0000000006A9E000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.253905713.0000000006A9E000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g3
          Source: explorers.exe, 00000012.00000003.342639154.00000000074DE000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g~n
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.317216543.0000000006AA5000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.253905713.0000000006A9E000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj3
          Source: explorers.exe, 00000012.00000003.342639154.00000000074DE000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj~n
          Source: explorers.exe, 00000010.00000002.325205643.0000000002F8B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: explorers.exe, 00000010.00000002.325205643.0000000002F8B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr10)
          Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1c301
          Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
          Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
          Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
          Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.318888486.00000000028F6000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325102537.0000000002F57000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325161813.0000000002F74000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.508721871.000000000334F000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.318817394.00000000028B1000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325409490.000000000304C000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.508550385.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorers.exe, 00000010.00000002.325102537.0000000002F57000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com
          Source: AMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
          Source: explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.318817394.00000000028B1000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325032884.0000000002F21000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.508550385.0000000003321000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.318817394.00000000028B1000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325409490.000000000304C000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.508550385.0000000003321000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, AMRAW.exe, AMRAW.exe.18.drString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
          Source: AMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
          Source: explorers.exe, 00000010.00000002.324175270.0000000001288000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeWindow created: window name: CLIPBRDWNDCLASS
          Source: InstallUtil.exe, 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000018.00000002.519019772.0000000005E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: explorers.exe PID: 4496, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: explorers.exe PID: 4496, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.InstallUtil.exe.34d4f84.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 24.2.InstallUtil.exe.5e20000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          .NET source code contains very large array initializationsShow sources
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, Cr2/Za1.csLarge array initialization: .cctor: array initializer size 5470
          Source: explorers.exe.0.dr, Cr2/Za1.csLarge array initialization: .cctor: array initializer size 5470
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.2f0000.0.unpack, Cr2/Za1.csLarge array initialization: .cctor: array initializer size 5470
          Source: 0.0.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.2f0000.0.unpack, Cr2/Za1.csLarge array initialization: .cctor: array initializer size 5470
          Source: 16.0.explorers.exe.ab0000.0.unpack, Cr2/Za1.csLarge array initialization: .cctor: array initializer size 5470
          Source: 16.2.explorers.exe.ab0000.0.unpack, Cr2/Za1.csLarge array initialization: .cctor: array initializer size 5470
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_07054D94 CreateProcessAsUserW,
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeCode function: 0_2_00EDC8B0
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeCode function: 0_2_00EDA038
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 16_2_02DBD2E0
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 16_2_06DF165A
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 16_2_06DF1FD0
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 16_2_06DF1FC1
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_0171C8B0
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_07056EF0
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_07054401
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_07055BC9
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_070589B2
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_0705B05A
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_070550D0
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_070590E0
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_0705D8F8
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_0705C7B0
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_0705A7CF
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_0705A7E0
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_0705E528
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_07051CA8
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_07051CB8
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_0705A358
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_0705A368
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_0705BAF0
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_070A3741
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_070A1FD0
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_070AA778
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_070AA788
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_070A44E7
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_070A44F8
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_070AA1C8
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_070AA1D8
          Source: C:\Users\user\AppData\Roaming\explorers.exeCode function: 18_2_070A1FCB
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeCode function: 23_2_001D2296
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeCode function: 23_2_001D5800
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeCode function: 23_2_026746A0
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeCode function: 23_2_02674672
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeCode function: 23_2_02674690
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeCode function: 23_2_0267D2EB
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_00F220B0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_0581E480
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_0581E471
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_0581BBD4
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_06D20040
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamehCnYoxwadYHoTJqQhthGLP.exe4 vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.322822101.0000000005870000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.324024093.00000000065C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.324299380.0000000006850000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.324299380.0000000006850000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000000.230265238.00000000003F0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStudent Dashboard.exeD vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.324926067.0000000006EB0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.294278895.0000000006C5B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstallUtil.exeT vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.323772465.00000000062C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeBinary or memory string: OriginalFilenameStudent Dashboard.exeD vs PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe'
          Source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000018.00000002.519019772.0000000005E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000018.00000002.519019772.0000000005E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: explorers.exe PID: 4496, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: explorers.exe PID: 4496, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.InstallUtil.exe.34d4f84.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.InstallUtil.exe.34d4f84.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 24.2.InstallUtil.exe.5e20000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.InstallUtil.exe.5e20000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: classification engineClassification label: mal100.troj.evad.winEXE@25/16@0/1
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP Monitor
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeFile created: C:\Users\user\AppData\Roaming\explorers.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{098e4f4f-7679-4607-961c-79d0e06713b4}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3584:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_01
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\explorers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\explorers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\explorers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\explorers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\explorers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\explorers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\explorers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\explorers.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeVirustotal: Detection: 30%
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeReversingLabs: Detection: 12%
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeFile read: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe 'C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe'
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\explorers.exe 'C:\Users\user\AppData\Roaming\explorers.exe'
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess created: C:\Users\user\AppData\Roaming\explorers.exe 'C:\Users\user\AppData\Roaming\explorers.exe'
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess created: C:\Users\user\AppData\Roaming\AMRAW.exe 'C:\Users\user\AppData\Roaming\AMRAW.exe'
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE914.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe 0
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe'
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess created: C:\Users\user\AppData\Roaming\explorers.exe 'C:\Users\user\AppData\Roaming\explorers.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe'
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess created: C:\Users\user\AppData\Roaming\AMRAW.exe 'C:\Users\user\AppData\Roaming\AMRAW.exe'
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp'
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE914.tmp'
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeStatic file information: File size 1089024 > 1048576
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.294278895.0000000006C5B000.00000004.00000001.sdmp, InstallUtil.exe, 00000018.00000002.502166610.0000000000F22000.00000002.00020000.sdmp, InstallUtil.exe, 0000001E.00000002.408974814.0000000000962000.00000002.00020000.sdmp, dhcpmon.exe, 00000020.00000000.410937467.0000000000F92000.00000002.00020000.sdmp, dhcpmon.exe, 00000025.00000002.427799848.00000000004D2000.00000002.00020000.sdmp, dhcpmon.exe.24.dr
          Source: Binary string: InstallUtil.pdb source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.294278895.0000000006C5B000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe, 0000001E.00000002.408974814.0000000000962000.00000002.00020000.sdmp, dhcpmon.exe, 00000020.00000000.410937467.0000000000F92000.00000002.00020000.sdmp, dhcpmon.exe, 00000025.00000002.427799848.00000000004D2000.00000002.00020000.sdmp, dhcpmon.exe.24.dr
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, Az7/o1M.csHigh entropy of concatenated method names: '.ctor', 'Ap3', 'Mp4', 'd4G', 'z3X', 'Wx4', 'Nk2', 'Kb6', 'b9C', 'Az3'
          Source: explorers.exe.0.dr, Az7/o1M.csHigh entropy of concatenated method names: '.ctor', 'Ap3', 'Mp4', 'd4G', 'z3X', 'Wx4', 'Nk2', 'Kb6', 'b9C', 'Az3'
          Source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.2f0000.0.unpack, Az7/o1M.csHigh entropy of concatenated method names: '.ctor', 'Ap3', 'Mp4', 'd4G', 'z3X', 'Wx4', 'Nk2', 'Kb6', 'b9C', 'Az3'
          Source: 0.0.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.2f0000.0.unpack, Az7/o1M.csHigh entropy of concatenated method names: '.ctor', 'Ap3', 'Mp4', 'd4G', 'z3X', 'Wx4', 'Nk2', 'Kb6', 'b9C', 'Az3'
          Source: 16.0.explorers.exe.ab0000.0.unpack, Az7/o1M.csHigh entropy of concatenated method names: '.ctor', 'Ap3', 'Mp4', 'd4G', 'z3X', 'Wx4', 'Nk2', 'Kb6', 'b9C', 'Az3'
          Source: 16.2.explorers.exe.ab0000.0.unpack, Az7/o1M.csHigh entropy of concatenated method names: '.ctor', 'Ap3', 'Mp4', 'd4G', 'z3X', 'Wx4', 'Nk2', 'Kb6', 'b9C', 'Az3'
          Source: C:\Users\user\AppData\Roaming\explorers.exeFile created: C:\Users\user\AppData\Roaming\AMRAW.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeFile created: C:\Users\user\AppData\Roaming\explorers.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp'
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run explorersJump to behavior
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run explorersJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeFile opened: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe\:Zone.Identifier read attributes | delete
          Source: C:\Users\user\AppData\Roaming\explorers.exeFile opened: C:\Users\user\AppData\Roaming\explorers.exe\:Zone.Identifier read attributes | delete
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Temp\InstallUtil.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Source: C:\Users\user\AppData\Roaming\explorers.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeCode function: 0_2_002FB277 sldt word ptr [eax]
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorers.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorers.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorers.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeWindow / User API: threadDelayed 4032
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeWindow / User API: threadDelayed 4716
          Source: C:\Users\user\AppData\Roaming\explorers.exeWindow / User API: threadDelayed 971
          Source: C:\Users\user\AppData\Roaming\explorers.exeWindow / User API: threadDelayed 8439
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeWindow / User API: threadDelayed 4699
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeWindow / User API: threadDelayed 5089
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 6072
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 3375
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe TID: 6416Thread sleep time: -22136092888451448s >= -30000s
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe TID: 6364Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe TID: 6344Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 6164Thread sleep time: -2767011611056431s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 6172Thread sleep count: 203 > 30
          Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 6180Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 996Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 5904Thread sleep time: -11068046444225724s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 6764Thread sleep count: 971 > 30
          Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 6764Thread sleep count: 8439 > 30
          Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 5904Thread sleep count: 38 > 30
          Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 5424Thread sleep count: 42 > 30
          Source: C:\Users\user\AppData\Roaming\explorers.exe TID: 5424Thread sleep time: -42000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\AMRAW.exe TID: 5480Thread sleep time: -23058430092136925s >= -30000s
          Source: C:\Users\user\AppData\Roaming\AMRAW.exe TID: 5484Thread sleep count: 4699 > 30
          Source: C:\Users\user\AppData\Roaming\AMRAW.exe TID: 5484Thread sleep count: 5089 > 30
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5320Thread sleep time: -13835058055282155s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5324Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2968Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6404Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorers.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorers.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorers.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.322822101.0000000005870000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.261887558.0000000003140000.00000002.00000001.sdmp, explorers.exe, 00000012.00000002.521302611.0000000006300000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.513594779.00000000057B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.519826800.0000000007230000.00000002.00000001.sdmp, InstallUtil.exe, 0000001E.00000002.414524337.0000000005470000.00000002.00000001.sdmp, dhcpmon.exe, 00000020.00000002.415529696.0000000005970000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.322822101.0000000005870000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.261887558.0000000003140000.00000002.00000001.sdmp, explorers.exe, 00000012.00000002.521302611.0000000006300000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.513594779.00000000057B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.519826800.0000000007230000.00000002.00000001.sdmp, InstallUtil.exe, 0000001E.00000002.414524337.0000000005470000.00000002.00000001.sdmp, dhcpmon.exe, 00000020.00000002.415529696.0000000005970000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.322822101.0000000005870000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.261887558.0000000003140000.00000002.00000001.sdmp, explorers.exe, 00000012.00000002.521302611.0000000006300000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.513594779.00000000057B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.519826800.0000000007230000.00000002.00000001.sdmp, InstallUtil.exe, 0000001E.00000002.414524337.0000000005470000.00000002.00000001.sdmp, dhcpmon.exe, 00000020.00000002.415529696.0000000005970000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorers.exe, 00000010.00000002.324256328.00000000012BF000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.322822101.0000000005870000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.261887558.0000000003140000.00000002.00000001.sdmp, explorers.exe, 00000012.00000002.521302611.0000000006300000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.513594779.00000000057B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.519826800.0000000007230000.00000002.00000001.sdmp, InstallUtil.exe, 0000001E.00000002.414524337.0000000005470000.00000002.00000001.sdmp, dhcpmon.exe, 00000020.00000002.415529696.0000000005970000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeCode function: 0_2_00EDCE38 LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\explorers.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\explorers.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\AppData\Roaming\explorers.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
          Source: C:\Users\user\AppData\Roaming\explorers.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
          Source: C:\Users\user\AppData\Roaming\explorers.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000
          Source: C:\Users\user\AppData\Roaming\explorers.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000
          Source: C:\Users\user\AppData\Roaming\explorers.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 10E1008
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe'
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeProcess created: C:\Users\user\AppData\Roaming\explorers.exe 'C:\Users\user\AppData\Roaming\explorers.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe'
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess created: C:\Users\user\AppData\Roaming\AMRAW.exe 'C:\Users\user\AppData\Roaming\AMRAW.exe'
          Source: C:\Users\user\AppData\Roaming\explorers.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp'
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE914.tmp'
          Source: InstallUtil.exe, 00000018.00000002.519680711.0000000006E6E000.00000004.00000001.sdmpBinary or memory string: Program Manager(
          Source: InstallUtil.exe, 00000018.00000002.508373194.0000000003575000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: explorers.exe, 00000012.00000002.507857745.0000000001CC0000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.506827435.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.507421656.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorers.exe, 00000012.00000002.507857745.0000000001CC0000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.506827435.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.507421656.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorers.exe, 00000012.00000002.507857745.0000000001CC0000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.506827435.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.507421656.0000000001D20000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: InstallUtil.exe, 00000018.00000002.508395811.0000000003577000.00000004.00000001.sdmpBinary or memory string: Program Managern.no
          Source: InstallUtil.exe, 00000018.00000002.519181612.000000000673D000.00000004.00000001.sdmpBinary or memory string: Program Manager 4L
          Source: InstallUtil.exe, 00000018.00000002.520076135.000000000745E000.00000004.00000001.sdmpBinary or memory string: Program Manager(OX
          Source: explorers.exe, 00000012.00000002.507857745.0000000001CC0000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.506827435.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.507421656.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorers.exe, 00000012.00000002.507857745.0000000001CC0000.00000002.00000001.sdmp, AMRAW.exe, 00000017.00000002.506827435.0000000001000000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.507421656.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeQueries volume information: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe VolumeInformation
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Users\user\AppData\Roaming\explorers.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Users\user\AppData\Roaming\explorers.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeQueries volume information: C:\Users\user\AppData\Roaming\AMRAW.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\AMRAW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.501590109.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.312118610.0000000003B94000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000000.388004677.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000003.391098389.0000000004603000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\AMRAW.exe, type: DROPPED
          Source: Yara matchFile source: 23.0.AMRAW.exe.1d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.3.explorers.exe.4615b59.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.AMRAW.exe.1d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.395dac1.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.449ec58.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.43ccb59.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3a2fbc0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.43ccb59.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3a2fbc0.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.3.explorers.exe.4615b59.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3ba6ac1.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.395dac1.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.449ec58.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3ba6ac1.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45acaa9.6.unpack, type: UNPACKEDPE
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: explorers.exe, 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: InstallUtil.exe, 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: InstallUtil.exe, 00000018.00000002.508019913.0000000003481000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.501590109.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.312118610.0000000003B94000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000000.388004677.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000003.391098389.0000000004603000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\AMRAW.exe, type: DROPPED
          Source: Yara matchFile source: 23.0.AMRAW.exe.1d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.3.explorers.exe.4615b59.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.AMRAW.exe.1d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.395dac1.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.449ec58.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.43ccb59.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3a2fbc0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.43ccb59.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3a2fbc0.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.3.explorers.exe.4615b59.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3ba6ac1.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.395dac1.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.449ec58.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3ba6ac1.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45acaa9.6.unpack, type: UNPACKEDPE
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorers.exe PID: 4496, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe PID: 6308, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5652, type: MEMORY
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b73e92.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4399f2a.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45e2f2a.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b3da11.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d05c4.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44cb78e.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4329510.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d05c4.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6864629.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45acaa9.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.3b0ade2.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4579e7a.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.45e2f2a.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6860000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4579e7a.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.44d4bed.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.InstallUtil.exe.6860000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.explorers.exe.4399f2a.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.392ae92.2.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1Windows Management Instrumentation211Valid Accounts1Valid Accounts1Disable or Modify Tools1Input Capture21File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Obfuscated Files or Information1LSASS MemorySystem Information Discovery113Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Registry Run Keys / Startup Folder1Process Injection312Software Packing1Security Account ManagerQuery Registry1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Scheduled Task/Job1Masquerading2NTDSSecurity Software Discovery221Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder1Valid Accounts1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonModify Registry1Cached Domain CredentialsVirtualization/Sandbox Evasion151VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion151Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection312/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 402742 Sample: PO#KV18RE001_A5491NGOCQUANG... Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 74 8 other signatures 2->74 9 PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe 15 7 2->9         started        13 explorers.exe 14 3 2->13         started        15 InstallUtil.exe 2->15         started        17 2 other processes 2->17 process3 file4 58 C:\Users\user\AppData\Roaming\explorers.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\...\InstallUtil.exe, PE32 9->60 dropped 62 C:\Users\...\explorers.exe:Zone.Identifier, ASCII 9->62 dropped 64 PO#KV18RE001_A5491...IONSERVICE5.exe.log, ASCII 9->64 dropped 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->84 19 explorers.exe 4 9->19         started        23 cmd.exe 1 9->23         started        86 Multi AV Scanner detection for dropped file 13->86 25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        signatures5 process6 file7 50 C:\Users\user\AppData\Roaming\AMRAW.exe, PE32 19->50 dropped 76 Writes to foreign memory regions 19->76 78 Allocates memory in foreign processes 19->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->80 82 Injects a PE file into a foreign processes 19->82 31 AMRAW.exe 19->31         started        34 InstallUtil.exe 19->34         started        38 conhost.exe 23->38         started        40 reg.exe 1 1 23->40         started        signatures8 process9 dnsIp10 88 Antivirus detection for dropped file 31->88 90 Multi AV Scanner detection for dropped file 31->90 92 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->92 98 2 other signatures 31->98 66 79.134.225.91, 4488, 49731, 49732 FINK-TELECOM-SERVICESCH Switzerland 34->66 52 C:\Users\user\AppData\Roaming\...\run.dat, data 34->52 dropped 54 C:\Users\user\AppData\Local\...\tmpE599.tmp, XML 34->54 dropped 56 C:\Program Files (x86)\...\dhcpmon.exe, PE32 34->56 dropped 94 Uses schtasks.exe or at.exe to add and modify task schedules 34->94 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->96 42 schtasks.exe 34->42         started        44 schtasks.exe 34->44         started        file11 signatures12 process13 process14 46 conhost.exe 42->46         started        48 conhost.exe 44->48         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe31%VirustotalBrowse
          PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe13%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\AMRAW.exe100%AviraTR/Spy.Gen8
          C:\Users\user\AppData\Roaming\AMRAW.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
          C:\Users\user\AppData\Roaming\AMRAW.exe83%ReversingLabsByteCode-MSIL.Infostealer.DarkStealer
          C:\Users\user\AppData\Roaming\explorers.exe13%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          23.0.AMRAW.exe.1d0000.0.unpack100%AviraHEUR/AGEN.1138205Download File
          24.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          23.2.AMRAW.exe.1d0000.0.unpack100%AviraHEUR/AGEN.1138205Download File
          24.2.InstallUtil.exe.6860000.10.unpack100%AviraTR/NanoCore.fadteDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          0%Avira URL Cloudsafe
          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
          http://DynDns.comDynDNS0%URL Reputationsafe
          http://DynDns.comDynDNS0%URL Reputationsafe
          http://DynDns.comDynDNS0%URL Reputationsafe
          http://crl.pki.goog/gsr1/gsr1.crl0;0%Avira URL Cloudsafe
          http://ns.adobe.cobj0%URL Reputationsafe
          http://ns.adobe.cobj0%URL Reputationsafe
          http://ns.adobe.cobj0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
          http://ns.ado/1~n0%Avira URL Cloudsafe
          http://microsoft.co0%URL Reputationsafe
          http://microsoft.co0%URL Reputationsafe
          http://microsoft.co0%URL Reputationsafe
          http://crl.pki.goog/gtsr1/gtsr1.crl0W0%Avira URL Cloudsafe
          http://pki.goog/gsr1/gsr1.crt020%Avira URL Cloudsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          https://pki.goog/repository/00%URL Reputationsafe
          https://pki.goog/repository/00%URL Reputationsafe
          https://pki.goog/repository/00%URL Reputationsafe
          http://RnGcYy.com0%Avira URL Cloudsafe
          79.134.225.910%Avira URL Cloudsafe
          http://pki.goog/repo/certs/gtsr1.der040%Avira URL Cloudsafe
          http://ns.adobe.cobj~n0%Avira URL Cloudsafe
          http://crl.m0%URL Reputationsafe
          http://crl.m0%URL Reputationsafe
          http://crl.m0%URL Reputationsafe
          http://ns.adobe.c/g~n0%Avira URL Cloudsafe
          http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl00%Avira URL Cloudsafe
          http://ns.adobe.c/g30%Avira URL Cloudsafe
          http://ns.adb0%URL Reputationsafe
          http://ns.adb0%URL Reputationsafe
          http://ns.adb0%URL Reputationsafe
          https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
          https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
          https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
          http://ns.adobe.cobj30%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
          http://ns.ado/130%Avira URL Cloudsafe
          http://ns.ado/10%URL Reputationsafe
          http://ns.ado/10%URL Reputationsafe
          http://ns.ado/10%URL Reputationsafe
          http://pki.goog/repo/certs/gts1c3.der00%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          true
          • Avira URL Cloud: safe
          low
          79.134.225.91true
          • Avira URL Cloud: safe
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://127.0.0.1:HTTP/1.1AMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          low
          http://DynDns.comDynDNSAMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://crl.pki.goog/gsr1/gsr1.crl0;explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ns.adobe.cobjPO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.317216543.0000000006AA5000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haAMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://ns.ado/1~nexplorers.exe, 00000012.00000003.342639154.00000000074DE000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://microsoft.coexplorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://crl.pki.goog/gtsr1/gtsr1.crl0Wexplorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://pki.goog/gsr1/gsr1.crt02explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ns.adobe.c/gPO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.324521004.0000000006A9E000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          https://pki.goog/repository/0explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://RnGcYy.comAMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://schema.org/WebPagePO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.318888486.00000000028F6000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325102537.0000000002F57000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325161813.0000000002F74000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.508721871.000000000334F000.00000004.00000001.sdmpfalse
            high
            http://pki.goog/repo/certs/gtsr1.der04explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://ns.adobe.cobj~nexplorers.exe, 00000012.00000003.342639154.00000000074DE000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            low
            http://crl.mexplorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://ns.adobe.c/g~nexplorers.exe, 00000012.00000003.342639154.00000000074DE000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://ns.adobe.c/g3PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.253905713.0000000006A9E000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://ns.adbPO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.252898213.0000000006A9E000.00000004.00000001.sdmp, explorers.exe, 00000012.00000003.340839616.00000000074DE000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            https://api.ipify.org%GETMozilla/5.0AMRAW.exe, 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            low
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.318817394.00000000028B1000.00000004.00000001.sdmp, explorers.exe, 00000010.00000002.325409490.000000000304C000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.508550385.0000000003321000.00000004.00000001.sdmpfalse
              high
              http://ns.adobe.cobj3PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.253905713.0000000006A9E000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, explorers.exe, 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, AMRAW.exe, AMRAW.exe.18.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://ns.ado/13PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.253905713.0000000006A9E000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://ns.ado/1PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe, 00000000.00000003.317216543.0000000006AA5000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://pki.goog/repo/certs/gts1c3.der0explorers.exe, 00000010.00000002.324340545.000000000130A000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              unknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              79.134.225.91
              unknownSwitzerland
              6775FINK-TELECOM-SERVICESCHtrue

              General Information

              Joe Sandbox Version:32.0.0 Black Diamond
              Analysis ID:402742
              Start date:03.05.2021
              Start time:13:05:37
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 14m 53s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:40
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@25/16@0/1
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 0.5% (good quality ratio 0.2%)
              • Quality average: 28.3%
              • Quality standard deviation: 37%
              HCA Information:
              • Successful, ratio: 91%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.193.48, 93.184.220.29, 20.82.209.183, 168.61.161.212, 92.122.145.220, 52.255.188.83, 172.217.23.100, 131.253.33.200, 13.107.22.200, 184.30.24.56, 20.82.210.154, 92.122.213.247, 92.122.213.249, 2.20.142.209, 2.20.142.210, 20.50.102.62, 20.54.26.129
              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, www.google.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              13:06:44AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run explorers C:\Users\user\AppData\Roaming\explorers.exe
              13:06:49API Interceptor42x Sleep call for process: PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe modified
              13:06:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run explorers C:\Users\user\AppData\Roaming\explorers.exe
              13:07:12API Interceptor40x Sleep call for process: explorers.exe modified
              13:07:51Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\InstallUtil.exe" s>$(Arg0)
              13:07:51API Interceptor363x Sleep call for process: InstallUtil.exe modified
              13:07:51AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              13:07:53Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
              13:07:54API Interceptor298x Sleep call for process: AMRAW.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              79.134.225.91UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864888.docGet hashmaliciousBrowse
                ENrYP02wGO.exeGet hashmaliciousBrowse
                  UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864.docGet hashmaliciousBrowse
                    DHL file.exeGet hashmaliciousBrowse
                      Swift 5893038993.exeGet hashmaliciousBrowse
                        PO 67961.exeGet hashmaliciousBrowse
                          PO 77390029.exeGet hashmaliciousBrowse
                            SWIFT TT.exeGet hashmaliciousBrowse
                              Ugovor o prodajnom nalogu PO-0091870_25 Meka koza.exeGet hashmaliciousBrowse
                                51INVOICES.exeGet hashmaliciousBrowse

                                  Domains

                                  No context

                                  ASN

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  FINK-TELECOM-SERVICESCHb2NaDSFu9T.exeGet hashmaliciousBrowse
                                  • 79.134.225.26
                                  Original title deed.xlsxGet hashmaliciousBrowse
                                  • 79.134.225.26
                                  ORDER INQUIRY.docGet hashmaliciousBrowse
                                  • 79.134.225.52
                                  To1sRo1E8P.exeGet hashmaliciousBrowse
                                  • 79.134.225.25
                                  BhTxt5BUvy.exeGet hashmaliciousBrowse
                                  • 79.134.225.25
                                  SCAN_ORDER & SAMPLES.exeGet hashmaliciousBrowse
                                  • 79.134.225.52
                                  Apr-advance payment #5972939.exeGet hashmaliciousBrowse
                                  • 79.134.225.9
                                  PpkzTxJVyC.exeGet hashmaliciousBrowse
                                  • 79.134.225.26
                                  Original title deed.xlsxGet hashmaliciousBrowse
                                  • 79.134.225.26
                                  swift copy.exeGet hashmaliciousBrowse
                                  • 79.134.225.48
                                  swift copy.exeGet hashmaliciousBrowse
                                  • 79.134.225.48
                                  jk55xlWn7a.exeGet hashmaliciousBrowse
                                  • 79.134.225.26
                                  Qds5xiJaAX.exeGet hashmaliciousBrowse
                                  • 79.134.225.26
                                  INVOICE.xlsxGet hashmaliciousBrowse
                                  • 79.134.225.26
                                  UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864888.docGet hashmaliciousBrowse
                                  • 79.134.225.91
                                  Payment-Confirmation_Copy.exeGet hashmaliciousBrowse
                                  • 79.134.225.108
                                  owrCPP2YTC.exeGet hashmaliciousBrowse
                                  • 79.134.225.26
                                  Payment Advice-BCS_ECS9522020090915390034_3159_952.jarGet hashmaliciousBrowse
                                  • 79.134.225.59
                                  nciv84yXK1.exeGet hashmaliciousBrowse
                                  • 79.134.225.7
                                  Rechnung.exeGet hashmaliciousBrowse
                                  • 79.134.225.39

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeM2Ia9NwhS0.exeGet hashmaliciousBrowse
                                    Z1ZdFWqLdS.exeGet hashmaliciousBrowse
                                      ENrYP02wGO.exeGet hashmaliciousBrowse
                                        Quotation#73280126721_Oriental_Fastech_Manufacturing.exeGet hashmaliciousBrowse
                                          Quotation#73280126721_Oriental_Fastech_Manufacturings.exeGet hashmaliciousBrowse
                                            OFF8mgLVHc.exeGet hashmaliciousBrowse
                                              06BUvGWk7B.exeGet hashmaliciousBrowse
                                                4yO0B3vPLc.exeGet hashmaliciousBrowse
                                                  RWtutTA7Hl.exeGet hashmaliciousBrowse
                                                    APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exeGet hashmaliciousBrowse
                                                      QUOTATION#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exeGet hashmaliciousBrowse
                                                        NEWQUOTATIONs#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exeGet hashmaliciousBrowse
                                                          APRILQUOTATION#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exeGet hashmaliciousBrowse
                                                            DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeGet hashmaliciousBrowse
                                                              DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeGet hashmaliciousBrowse
                                                                DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeGet hashmaliciousBrowse
                                                                  DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exeGet hashmaliciousBrowse
                                                                    DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeGet hashmaliciousBrowse
                                                                      DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exeGet hashmaliciousBrowse
                                                                        Sample Qoutation List.exeGet hashmaliciousBrowse

                                                                          Created / dropped Files

                                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):41064
                                                                          Entropy (8bit):6.164873449128079
                                                                          Encrypted:false
                                                                          SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                          MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                          SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                          SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                          SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: M2Ia9NwhS0.exe, Detection: malicious, Browse
                                                                          • Filename: Z1ZdFWqLdS.exe, Detection: malicious, Browse
                                                                          • Filename: ENrYP02wGO.exe, Detection: malicious, Browse
                                                                          • Filename: Quotation#73280126721_Oriental_Fastech_Manufacturing.exe, Detection: malicious, Browse
                                                                          • Filename: Quotation#73280126721_Oriental_Fastech_Manufacturings.exe, Detection: malicious, Browse
                                                                          • Filename: OFF8mgLVHc.exe, Detection: malicious, Browse
                                                                          • Filename: 06BUvGWk7B.exe, Detection: malicious, Browse
                                                                          • Filename: 4yO0B3vPLc.exe, Detection: malicious, Browse
                                                                          • Filename: RWtutTA7Hl.exe, Detection: malicious, Browse
                                                                          • Filename: APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe, Detection: malicious, Browse
                                                                          • Filename: QUOTATION#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe, Detection: malicious, Browse
                                                                          • Filename: NEWQUOTATIONs#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exe, Detection: malicious, Browse
                                                                          • Filename: APRILQUOTATION#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe, Detection: malicious, Browse
                                                                          • Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, Detection: malicious, Browse
                                                                          • Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, Detection: malicious, Browse
                                                                          • Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, Detection: malicious, Browse
                                                                          • Filename: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, Detection: malicious, Browse
                                                                          • Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, Detection: malicious, Browse
                                                                          • Filename: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, Detection: malicious, Browse
                                                                          • Filename: Sample Qoutation List.exe, Detection: malicious, Browse
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
                                                                          Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):329
                                                                          Entropy (8bit):5.324195011891804
                                                                          Encrypted:false
                                                                          SSDEEP:6:Q3La/xwc1K9rDLIP12MUAvvr3tDLIP12MUAvvR+uTL2LDY3U21v:Q3La/h1K9rDLI4M9tDLI4MWuPk21v
                                                                          MD5:0F3825E2D8885E05820523A5D8DFEF9C
                                                                          SHA1:E6AA2D5D00CE5F875C75B9490F21F2D6B3F0DED3
                                                                          SHA-256:2F3769543004FF49CB3B6EF06AC5FD6A402DB0C2546E365639338CA2F4049EBE
                                                                          SHA-512:D8FBAEEABF2D33EAF4FF5AADEBF86C233145502560A42B88EBDE455AE2B001F52728E4CE6C59DBCCA37CBF25BA485F5FC5527E992AB66957C6252CF1956F237C
                                                                          Malicious:false
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe.log
                                                                          Process:C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):1402
                                                                          Entropy (8bit):5.338819835253785
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKoesXE8:MgvjHK5HKXE1qHbHK5AHKzvRYHKhQnoe
                                                                          MD5:F1E06E4F4EF9FA0C9448442F167F7AEF
                                                                          SHA1:E1A19E11BFB223AFC00842D4AED18D66D9E19D58
                                                                          SHA-256:6B353B5943CA10D6C09D299DF552FF6691DDAB065914770A1B34146419A98559
                                                                          SHA-512:3D8A7F6403016CDCAC7C536FFD295E9AB761D8B1F89794FE5FF4E93284659A938808DB695AD5CE4455B5BC112F626490AFB508E56A0A57864A0EDE527768F274
                                                                          Malicious:true
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):329
                                                                          Entropy (8bit):5.324195011891804
                                                                          Encrypted:false
                                                                          SSDEEP:6:Q3La/xwc1K9rDLIP12MUAvvr3tDLIP12MUAvvR+uTL2LDY3U21v:Q3La/h1K9rDLI4M9tDLI4MWuPk21v
                                                                          MD5:0F3825E2D8885E05820523A5D8DFEF9C
                                                                          SHA1:E6AA2D5D00CE5F875C75B9490F21F2D6B3F0DED3
                                                                          SHA-256:2F3769543004FF49CB3B6EF06AC5FD6A402DB0C2546E365639338CA2F4049EBE
                                                                          SHA-512:D8FBAEEABF2D33EAF4FF5AADEBF86C233145502560A42B88EBDE455AE2B001F52728E4CE6C59DBCCA37CBF25BA485F5FC5527E992AB66957C6252CF1956F237C
                                                                          Malicious:false
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\explorers.exe.log
                                                                          Process:C:\Users\user\AppData\Roaming\explorers.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1402
                                                                          Entropy (8bit):5.338819835253785
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKoesXE8:MgvjHK5HKXE1qHbHK5AHKzvRYHKhQnoe
                                                                          MD5:F1E06E4F4EF9FA0C9448442F167F7AEF
                                                                          SHA1:E1A19E11BFB223AFC00842D4AED18D66D9E19D58
                                                                          SHA-256:6B353B5943CA10D6C09D299DF552FF6691DDAB065914770A1B34146419A98559
                                                                          SHA-512:3D8A7F6403016CDCAC7C536FFD295E9AB761D8B1F89794FE5FF4E93284659A938808DB695AD5CE4455B5BC112F626490AFB508E56A0A57864A0EDE527768F274
                                                                          Malicious:false
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                          C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                          Process:C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):41064
                                                                          Entropy (8bit):6.164873449128079
                                                                          Encrypted:false
                                                                          SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                          MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                          SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                          SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                          SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                          C:\Users\user\AppData\Local\Temp\tmpE599.tmp
                                                                          Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1313
                                                                          Entropy (8bit):5.093424447017177
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK04Kxtn:cbk4oL600QydbQxIYODOLedq35Kj
                                                                          MD5:68460D49E128AB4771263EBC0867AE2F
                                                                          SHA1:E0E9E16542C035AFAC4ADAB3D0CD4E79C2AFA7CA
                                                                          SHA-256:756FE41C40BE1C99B9796A3BE92D2EBBD7C21CDD0256DACA2B601B66E8998A0F
                                                                          SHA-512:755D2907DD5384924079AD01F3B4CF90CD074E7FFB226BC30FD4B301E60F641C1764FAD07F3EA70DD4518F05B6D6153B9E4CD727B09395BE800424FC7E3DCE71
                                                                          Malicious:true
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                          C:\Users\user\AppData\Local\Temp\tmpE914.tmp
                                                                          Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1310
                                                                          Entropy (8bit):5.109425792877704
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                          Malicious:false
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                          C:\Users\user\AppData\Roaming\AMRAW.exe
                                                                          Process:C:\Users\user\AppData\Roaming\explorers.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):221696
                                                                          Entropy (8bit):6.057577690833656
                                                                          Encrypted:false
                                                                          SSDEEP:3072:19WWLgRkbykTD62A++032vmBxqzHWdUiQeG40AuQsfVLhnfpMOHSvHkcTbeqeA1+:1Lgiwv7MUdzACfeBHbB51uGU
                                                                          MD5:9DD5E6B584F3AF71756DE02F45B4E0C8
                                                                          SHA1:DEFEC0D8908D24390BC8B39534C208CBD5702C84
                                                                          SHA-256:9490E210852A6E7F07B822A4DCD5BD8B2B4BBDDB8933226E7730778757A0BCD2
                                                                          SHA-512:CAF3D94C9BE9486C634C544B67EEAE8A019DCAD1C778202889184C46C07E66297C8EC88B8B8FBFC1051815F70144B0D837F2110EA8C3CF8A1579DE79B619C5FF
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Roaming\AMRAW.exe, Author: Joe Security
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 83%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=n`.................X...........v... ........@.. ....................................@..................................u..S.................................................................................... ............... ..H............text...$V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B.................v......H...........,.............................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8
                                                                          Entropy (8bit):3.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:7Jt:Vt
                                                                          MD5:EA7789329E42F1212F25CEA003A72D4E
                                                                          SHA1:BF98DC123F92DF4A3DDD42B1071FCE312247B88A
                                                                          SHA-256:AA158117B40BCC740BE67736C6B9604CFC67A604162EDDBAA599CC3D92534281
                                                                          SHA-512:D434D22719E4368084495FA02552B8D0B6BFA9C39C67282C9C3097179B0C0A477C151246DB92B2DBAAA5DBBB2B178C6606AEA25C93AADFC75B1B9DB7ED10B40F
                                                                          Malicious:true
                                                                          Preview: {.I o..H
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):50
                                                                          Entropy (8bit):4.239079570624175
                                                                          Encrypted:false
                                                                          SSDEEP:3:oNUkh4E2J5xAIOWRxRI0dAn:oN923f5RndA
                                                                          MD5:443F1FE7AA35BF3BD5FC0A174BDB74C9
                                                                          SHA1:145A60A063BD0F43B9E8C36EB147FF8CB8BEB9CD
                                                                          SHA-256:0EA7D1E2A5A832F6BCE9C58BC9BD9D1983914A7FA905EAFEEB4A02D9D0DBE683
                                                                          SHA-512:084751435DCB88800CAAFFD1A1414FDA1F5F9E68269768DC3618BC6BCD5656D9A285DD4BDE047A7FF6ECB404926A89C3E06DCCF1F927DE6FA93DB033E8134137
                                                                          Malicious:false
                                                                          Preview: C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                          C:\Users\user\AppData\Roaming\explorers.exe
                                                                          Process:C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1089024
                                                                          Entropy (8bit):6.500553265713181
                                                                          Encrypted:false
                                                                          SSDEEP:12288:/3MWjQo86HiBADJuSxRvi1W8rLZ2LCs3UCrhDxYIuhY8H3MOPiBV+yOlr5BibS:/lB2VILZZtDruhKO6BV+yOR
                                                                          MD5:E10C403A6EEC866D5772812C5EDCC0A7
                                                                          SHA1:8C1D7EE58C5C767B58A01425B8584A3F9ABF9C52
                                                                          SHA-256:9741AB464F2DA0EC1EFFB39154615874073CCD368F77260B865C7FA7ACD123B0
                                                                          SHA-512:B3F27EB76B5A9B38AFA1314F5702A16153867251416E12F28AEA0BBB5E39A7BC756287F3A5B836C4C3C178148500D96DA5E27183DAB70B285F5BCC14285AFEBF
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 13%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oM................................. ........@.. ....................................`.................................d...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......0...4.......5........L..........................................z^....c....].v(f'.o.....n.%.5...|p.......P.=s...^........`u.]>.o0.I.gU.....O....!.9^;P.>.Z....Rcy...S..*...}...q.z.tP..W.B.~!{.1xW...C...H.B...Pbo9..G. .72...w..;.......a.*1"...:.L.W6....P.. .;.9...%......-.3....*.Z.<....#..Bi..C.0\....!.....D..E.!.j(.8.oMl...{?........e.R2....+.{g*...*.....i.....TY.9r{:.X.B..(......"6..b.K.v....^....e.+.2...s&&...u..Z.....T? k..[....*|w-.....
                                                                          C:\Users\user\AppData\Roaming\explorers.exe:Zone.Identifier
                                                                          Process:C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                          \Device\ConDrv
                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):2017
                                                                          Entropy (8bit):4.663189584482275
                                                                          Encrypted:false
                                                                          SSDEEP:48:zK4Qu4D4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKJDEcTytNe3Wo3uQVBIe+5
                                                                          MD5:9C305D95E7DA8FCA9651F7F426BB25BC
                                                                          SHA1:FDB5C18C26CF5B83EF5DC297C0F9CEBEF6A97FFC
                                                                          SHA-256:444F71CF504D22F0EE88024D61501D3B79AE5D1AFD521E72499F325F6B0B82BE
                                                                          SHA-512:F2829518AE0F6DD35C1DE1175FC8BE3E52EDCAFAD0B2455AC593F5E5D4BD480B014F52C3AE24E742B914685513BE5DF862373E75C45BB7908C775D7E2E404DB3
                                                                          Malicious:false
                                                                          Preview: Microsoft (R) .NET Framework Installation utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):6.500553265713181
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          File name:PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
                                                                          File size:1089024
                                                                          MD5:e10c403a6eec866d5772812c5edcc0a7
                                                                          SHA1:8c1d7ee58c5c767b58a01425b8584a3f9abf9c52
                                                                          SHA256:9741ab464f2da0ec1effb39154615874073ccd368f77260b865c7fa7acd123b0
                                                                          SHA512:b3f27eb76b5a9b38afa1314f5702a16153867251416e12f28aea0bbb5e39a7bc756287f3a5b836c4c3c178148500d96da5e27183dab70b285f5bcc14285afebf
                                                                          SSDEEP:12288:/3MWjQo86HiBADJuSxRvi1W8rLZ2LCs3UCrhDxYIuhY8H3MOPiBV+yOlr5BibS:/lB2VILZZtDruhKO6BV+yOR
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oM................................. ........@.. ....................................`................................

                                                                          File Icon

                                                                          Icon Hash:eaee8e96b2a8e0b2

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x4fe0be
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                          Time Stamp:0x4D6FBB1E [Thu Mar 3 16:00:30 2011 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v4.0.30319
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xfe0640x57.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000xd680.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x10e0000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000xfc0c40xfc200False0.622465875992data6.51101135179IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x1000000xd6800xd800False0.0849428530093data3.69603513693IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x10e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_ICON0x1000e80xd228data
                                                                          RT_GROUP_ICON0x10d3100x14data
                                                                          RT_VERSION0x10d3240x35cdata

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyrightCopyright 2017
                                                                          Assembly Version1.0.0.0
                                                                          InternalNameStudent Dashboard.exe
                                                                          FileVersion1.0.0.0
                                                                          CompanyName
                                                                          LegalTrademarks
                                                                          Comments
                                                                          ProductNameStudent Dashboard
                                                                          ProductVersion1.0.0.0
                                                                          FileDescriptionStudent Dashboard
                                                                          OriginalFilenameStudent Dashboard.exe

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 3, 2021 13:07:53.741492987 CEST497314488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:07:53.822318077 CEST44884973179.134.225.91192.168.2.5
                                                                          May 3, 2021 13:07:54.399885893 CEST497314488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:07:54.481575012 CEST44884973179.134.225.91192.168.2.5
                                                                          May 3, 2021 13:07:55.009277105 CEST497314488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:07:55.093800068 CEST44884973179.134.225.91192.168.2.5
                                                                          May 3, 2021 13:07:59.261782885 CEST497324488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:07:59.342500925 CEST44884973279.134.225.91192.168.2.5
                                                                          May 3, 2021 13:07:59.903738976 CEST497324488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:07:59.986149073 CEST44884973279.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:00.509820938 CEST497324488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:00.590341091 CEST44884973279.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:04.606064081 CEST497334488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:04.688338041 CEST44884973379.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:05.213649988 CEST497334488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:05.296262980 CEST44884973379.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:05.807156086 CEST497334488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:05.888609886 CEST44884973379.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:09.902703047 CEST497344488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:09.984390020 CEST44884973479.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:10.495065928 CEST497344488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:10.576553106 CEST44884973479.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:11.088857889 CEST497344488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:11.169452906 CEST44884973479.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:15.185426950 CEST497354488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:15.265959978 CEST44884973579.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:15.776794910 CEST497354488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:15.858283997 CEST44884973579.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:16.542412996 CEST497354488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:16.623218060 CEST44884973579.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:21.171705008 CEST497374488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:21.255683899 CEST44884973779.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:21.761676073 CEST497374488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:21.844151020 CEST44884973779.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:22.355441093 CEST497374488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:22.435796022 CEST44884973779.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:26.459408998 CEST497384488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:26.539942026 CEST44884973879.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:27.043288946 CEST497384488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:27.123836040 CEST44884973879.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:27.637125969 CEST497384488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:27.717745066 CEST44884973879.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:31.781622887 CEST497394488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:31.865268946 CEST44884973979.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:32.371876955 CEST497394488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:32.453181028 CEST44884973979.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:32.970765114 CEST497394488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:33.051184893 CEST44884973979.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:37.076735020 CEST497404488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:37.161355972 CEST44884974079.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:37.669179916 CEST497404488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:37.752645969 CEST44884974079.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:38.262994051 CEST497404488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:38.346427917 CEST44884974079.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:42.358278036 CEST497414488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:42.438920975 CEST44884974179.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:42.950869083 CEST497414488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:43.032645941 CEST44884974179.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:43.544724941 CEST497414488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:43.627033949 CEST44884974179.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:47.639636993 CEST497424488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:47.721698046 CEST44884974279.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:48.232615948 CEST497424488192.168.2.579.134.225.91
                                                                          May 3, 2021 13:08:48.315445900 CEST44884974279.134.225.91192.168.2.5
                                                                          May 3, 2021 13:08:48.826404095 CEST497424488192.168.2.579.134.225.91

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 3, 2021 13:06:22.174220085 CEST5430253192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:22.218880892 CEST5378453192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:22.239577055 CEST53543028.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:22.276005983 CEST53537848.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:22.346694946 CEST6530753192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:22.395575047 CEST53653078.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:22.692821980 CEST6434453192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:22.723948002 CEST6206053192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:22.749566078 CEST53643448.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:22.896493912 CEST53620608.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:23.113645077 CEST6180553192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:23.165100098 CEST53618058.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:24.122306108 CEST5479553192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:24.172823906 CEST53547958.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:26.404886961 CEST4955753192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:26.454777956 CEST53495578.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:27.588558912 CEST6173353192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:27.640285969 CEST53617338.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:28.141489983 CEST6544753192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:28.203963995 CEST53654478.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:28.541178942 CEST5244153192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:28.593797922 CEST53524418.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:29.404376030 CEST6217653192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:29.455929041 CEST53621768.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:30.381952047 CEST5959653192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:30.430632114 CEST53595968.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:31.040618896 CEST6529653192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:31.102690935 CEST53652968.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:31.493056059 CEST6318353192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:31.570593119 CEST53631838.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:31.581655979 CEST6015153192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:31.639872074 CEST53601518.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:32.051129103 CEST5696953192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:32.102524996 CEST53569698.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:32.995342970 CEST5516153192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:33.043905020 CEST53551618.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:34.000562906 CEST5475753192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:34.053355932 CEST53547578.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:47.007205963 CEST4999253192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:47.087236881 CEST53499928.8.8.8192.168.2.5
                                                                          May 3, 2021 13:06:57.194957972 CEST6007553192.168.2.58.8.8.8
                                                                          May 3, 2021 13:06:57.246695995 CEST53600758.8.8.8192.168.2.5
                                                                          May 3, 2021 13:07:06.085053921 CEST5501653192.168.2.58.8.8.8
                                                                          May 3, 2021 13:07:06.144013882 CEST53550168.8.8.8192.168.2.5
                                                                          May 3, 2021 13:07:06.593669891 CEST6434553192.168.2.58.8.8.8
                                                                          May 3, 2021 13:07:06.643677950 CEST53643458.8.8.8192.168.2.5
                                                                          May 3, 2021 13:07:06.675110102 CEST5712853192.168.2.58.8.8.8
                                                                          May 3, 2021 13:07:06.737744093 CEST53571288.8.8.8192.168.2.5
                                                                          May 3, 2021 13:07:11.480854988 CEST5479153192.168.2.58.8.8.8
                                                                          May 3, 2021 13:07:11.531817913 CEST53547918.8.8.8192.168.2.5
                                                                          May 3, 2021 13:07:11.866717100 CEST5046353192.168.2.58.8.8.8
                                                                          May 3, 2021 13:07:11.934973001 CEST53504638.8.8.8192.168.2.5
                                                                          May 3, 2021 13:07:11.964849949 CEST5039453192.168.2.58.8.8.8
                                                                          May 3, 2021 13:07:12.021977901 CEST53503948.8.8.8192.168.2.5
                                                                          May 3, 2021 13:07:12.049449921 CEST5853053192.168.2.58.8.8.8
                                                                          May 3, 2021 13:07:12.107295990 CEST53585308.8.8.8192.168.2.5
                                                                          May 3, 2021 13:07:16.883862972 CEST5381353192.168.2.58.8.8.8
                                                                          May 3, 2021 13:07:16.951704025 CEST53538138.8.8.8192.168.2.5
                                                                          May 3, 2021 13:07:37.051758051 CEST6373253192.168.2.58.8.8.8
                                                                          May 3, 2021 13:07:37.103292942 CEST53637328.8.8.8192.168.2.5
                                                                          May 3, 2021 13:07:48.653448105 CEST5734453192.168.2.58.8.8.8
                                                                          May 3, 2021 13:07:48.708704948 CEST53573448.8.8.8192.168.2.5
                                                                          May 3, 2021 13:08:18.211174011 CEST5445053192.168.2.58.8.8.8
                                                                          May 3, 2021 13:08:18.288844109 CEST53544508.8.8.8192.168.2.5

                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Start time:13:06:29
                                                                          Start date:03/05/2021
                                                                          Path:C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\PO#KV18RE001_A5491NGOCQUANGTRADEPRODUCTIONSERVICE5.exe'
                                                                          Imagebase:0x2f0000
                                                                          File size:1089024 bytes
                                                                          MD5 hash:E10C403A6EEC866D5772812C5EDCC0A7
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.320373191.000000000392A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.320442796.00000000039FD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.312118610.0000000003B94000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.320551946.0000000003AA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          General

                                                                          Start time:13:06:42
                                                                          Start date:03/05/2021
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe'
                                                                          Imagebase:0xf40000
                                                                          File size:232960 bytes
                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:13:06:43
                                                                          Start date:03/05/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7ecfc0000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:13:06:43
                                                                          Start date:03/05/2021
                                                                          Path:C:\Windows\SysWOW64\reg.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'explorers' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\explorers.exe'
                                                                          Imagebase:0x130000
                                                                          File size:59392 bytes
                                                                          MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:13:07:01
                                                                          Start date:03/05/2021
                                                                          Path:C:\Users\user\AppData\Roaming\explorers.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\AppData\Roaming\explorers.exe'
                                                                          Imagebase:0xab0000
                                                                          File size:1089024 bytes
                                                                          MD5 hash:E10C403A6EEC866D5772812C5EDCC0A7
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Antivirus matches:
                                                                          • Detection: 13%, ReversingLabs
                                                                          Reputation:low

                                                                          General

                                                                          Start time:13:07:09
                                                                          Start date:03/05/2021
                                                                          Path:C:\Users\user\AppData\Roaming\explorers.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\AppData\Roaming\explorers.exe'
                                                                          Imagebase:0xd70000
                                                                          File size:1089024 bytes
                                                                          MD5 hash:E10C403A6EEC866D5772812C5EDCC0A7
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.519352480.000000000446C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000003.391098389.0000000004603000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.518936655.0000000004328000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.519222954.0000000004399000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.519534011.0000000004510000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          General

                                                                          Start time:13:07:42
                                                                          Start date:03/05/2021
                                                                          Path:C:\Users\user\AppData\Roaming\AMRAW.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\AppData\Roaming\AMRAW.exe'
                                                                          Imagebase:0x1d0000
                                                                          File size:221696 bytes
                                                                          MD5 hash:9DD5E6B584F3AF71756DE02F45B4E0C8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.501590109.00000000001D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.507357011.0000000002691000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.388004677.00000000001D2000.00000002.00020000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Roaming\AMRAW.exe, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Avira
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 83%, ReversingLabs
                                                                          Reputation:low

                                                                          General

                                                                          Start time:13:07:43
                                                                          Start date:03/05/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                          Imagebase:0xf20000
                                                                          File size:41064 bytes
                                                                          MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.519395399.0000000006860000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.501683451.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.519019772.0000000005E20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000018.00000002.519019772.0000000005E20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.512409294.00000000044C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Antivirus matches:
                                                                          • Detection: 0%, Metadefender, Browse
                                                                          • Detection: 0%, ReversingLabs
                                                                          Reputation:moderate

                                                                          General

                                                                          Start time:13:07:49
                                                                          Start date:03/05/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE599.tmp'
                                                                          Imagebase:0x9f0000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:13:07:50
                                                                          Start date:03/05/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7ecfc0000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:13:07:50
                                                                          Start date:03/05/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE914.tmp'
                                                                          Imagebase:0x9f0000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:13:07:51
                                                                          Start date:03/05/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7ecfc0000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:13:07:51
                                                                          Start date:03/05/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe 0
                                                                          Imagebase:0x960000
                                                                          File size:41064 bytes
                                                                          MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:moderate

                                                                          General

                                                                          Start time:13:07:51
                                                                          Start date:03/05/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7ecfc0000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:13:07:53
                                                                          Start date:03/05/2021
                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                          Imagebase:0xf90000
                                                                          File size:41064 bytes
                                                                          MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Antivirus matches:
                                                                          • Detection: 0%, Metadefender, Browse
                                                                          • Detection: 0%, ReversingLabs
                                                                          Reputation:moderate

                                                                          General

                                                                          Start time:13:07:53
                                                                          Start date:03/05/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7ecfc0000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Start time:13:08:00
                                                                          Start date:03/05/2021
                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                          Imagebase:0x4d0000
                                                                          File size:41064 bytes
                                                                          MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET

                                                                          General

                                                                          Start time:13:08:00
                                                                          Start date:03/05/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7ecfc0000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >