Analysis Report 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe

Overview

General Information

Sample Name:	741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
Analysis ID:	403532
MD5:	cdda16bd52c7c602b534593be9149a42
SHA1:	5789cb8b8b1493de3733c66cd52d8b0180be6cd4
SHA256:	741b26251fa1fba9c4d5eb7aaca544f07859f82c296b8c01d2339a4ea2d06c58
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "caa6fa7a-f28b-4f9f-9a4a-ce9e5290", "Group": "ONEZERO", "Domain1": "strongodss.ddns.net", "Domain2": "79.134.225.40", "Port": 48154, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Source: strongodss.ddns.net	Virustotal: Detection: 8%	Perma Link
Source: 79.134.225.40	Virustotal: Detection: 6%	Perma Link
Source: strongodss.ddns.net	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gKpxRZsP.exe	Metadefender: Detection: 21%			Perma Link
Source: C:\Users\user\AppData\Roaming\gKpxRZsP.exe	ReversingLabs: Detection: 72%

Multi AV Scanner detection for submitted file

Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Virustotal: Detection: 59%	Perma Link
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Metadefender: Detection: 21%	Perma Link
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	ReversingLabs: Detection: 72%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.513768537.0000000006040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.501231522.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.248045352.00000000044C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe PID: 6180, type: MEMORY
Source: Yara match	File source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.6040000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.6040000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.6044629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4369529.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4369529.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gKpxRZsP.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 8.2.RegSvcs.exe.6040000.10.unpack	Avira: Label: TR/NanoCore.fadte
Source: 8.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.506819869.0000000002EB5000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: RegSvcs.exe, 0000000D.00000002.261639651.00000000051A0000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.277252433.0000000004B60000.00000002.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000008.00000002.506819869.0000000002EB5000.00000004.00000040.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000008.00000002.506819869.0000000002EB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.506819869.0000000002EB5000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
Source:	Binary string: mscorrc.pdb source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.249624796.00000000056A0000.00000002.00000001.sdmp, RegSvcs.exe, 00000008.00000002.513520792.0000000005D40000.00000002.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.262132674.0000000005250000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.273411425.0000000004D90000.00000002.00000001.sdmp

Source: Malware configuration extractor	URLs: 79.134.225.40
Source: Malware configuration extractor	URLs: strongodss.ddns.net

Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 79.134.225.82:48154
Source: global traffic	TCP traffic: 192.168.2.5:49714 -> 79.134.225.40:48154

Source: Joe Sandbox View	IP Address: 79.134.225.40 79.134.225.40
Source: Joe Sandbox View	IP Address: 79.134.225.82 79.134.225.82

Source: Joe Sandbox View	ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
Source: Joe Sandbox View	ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.40

Source: powershell.exe, 00000006.00000003.352217202.0000000009532000.00000004.00000001.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000002.00000003.318477069.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.244648700.000000000336A000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: 00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.513739140.0000000006030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.513768537.0000000006040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.501231522.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.501231522.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.248045352.00000000044C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.248045352.00000000044C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe PID: 6180, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe PID: 6180, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.3321364.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.6040000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.435ecb6.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.6040000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.6044629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.33261e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.5da0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.4369529.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.6030000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.4369529.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.3321364.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_016C34D2 NtQuerySystemInformation,	0_2_016C34D2
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_016C3498 NtQuerySystemInformation,	0_2_016C3498
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_0566178E NtQuerySystemInformation,	8_2_0566178E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_05661753 NtQuerySystemInformation,	8_2_05661753

Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_00C27804	0_2_00C27804
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_01680A99	0_2_01680A99
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_01681CE0	0_2_01681CE0
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_01680AEA	0_2_01680AEA
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_01681D88	0_2_01681D88
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_01684427	0_2_01684427
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_01684438	0_2_01684438
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_05548D68	8_2_05548D68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_05549968	8_2_05549968
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_05543850	8_2_05543850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_055423A0	8_2_055423A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_05542FA8	8_2_05542FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_0554B638	8_2_0554B638
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_0554306F	8_2_0554306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_0554A210	8_2_0554A210
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_05549A2F	8_2_05549A2F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 13_2_02B50709	13_2_02B50709
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02620700	15_2_02620700

Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.242921492.0000000000CE4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSoapYearMonth.exeN vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.247122126.0000000004341000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDebuggerHiddenAttribute.dllX vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.250794743.0000000006330000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.249575124.0000000005680000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDurmu_ vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.243399430.000000000142B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.251726911.0000000006430000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.251726911.0000000006430000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.249624796.00000000056A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Binary or memory string: OriginalFilenameSoapYearMonth.exeN vs 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe

Source: 00000008.00000002.511998017.000000000434C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.513739140.0000000006030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.513739140.0000000006030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.513768537.0000000006040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.513768537.0000000006040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.501231522.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.501231522.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.248045352.00000000044C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.248045352.00000000044C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe PID: 6180, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe PID: 6180, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.435ecb6.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.3321364.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3321364.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.6040000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.6040000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.435ecb6.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.435ecb6.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.6040000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.6040000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.6044629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.6044629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.33261e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.33261e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.4524510.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.5da0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.5da0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.4369529.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.4369529.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.6030000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.6030000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.4369529.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.4369529.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.3321364.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3321364.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.4363af3.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_016C3402 AdjustTokenPrivileges,	0_2_016C3402
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_016C33CB AdjustTokenPrivileges,	0_2_016C33CB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_0566154E AdjustTokenPrivileges,	8_2_0566154E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_05661517 AdjustTokenPrivileges,	8_2_05661517

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{caa6fa7a-f28b-4f9f-9a4a-ce9e52900e9d}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6372:120:WilError_01
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Mutant created: \Sessions\1\BaseNamedObjects\TfLSqZmwSYpyY
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01

Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.244648700.000000000336A000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO PublisherMembershipCondition VALUES(@modelo, @fabricante, @ano, @cor);
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.244648700.000000000336A000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.244648700.000000000336A000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.244648700.000000000336A000.00000004.00000001.sdmp	Binary or memory string: Select * from PublisherMembershipCondition WHERE modelo=@modelo;zDeu erro na execu

Source: unknown	Process created: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe 'C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe'
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gKpxRZsP' /XML 'C:\Users\user\AppData\Local\Temp\tmp30C2.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gKpxRZsP.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB146.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB52F.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe'	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gKpxRZsP' /XML 'C:\Users\user\AppData\Local\Temp\tmp30C2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gKpxRZsP.exe'	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB146.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB52F.tmp'

Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, u000eu2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: gKpxRZsP.exe.0.dr, u000eu2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.c20000.0.unpack, u000eu2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe.c20000.0.unpack, u000eu2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Analysis Report 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_00C23694 push eax; ret	0_2_00C23695
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_01297A38 push eax; ret	0_2_01297A39
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_01297F2C pushad ; ret	0_2_01297F2D
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_016891C6 push esi; retf	0_2_016891C7
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_01690FA3 push edi; ret	0_2_0169104D
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_06861001 push es; iretd	0_2_06861020
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Code function: 0_2_06860FB9 push es; iretd	0_2_06861020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_01442BEC push cs; ret	8_2_01442BEA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_01442BBD push cs; ret	8_2_01442BEA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_01459E0A pushfd ; retf	8_2_01459E25
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_01459DEC pushfd ; retf	8_2_01459DED
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_014574AC push ecx; ret	8_2_014574AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_014574B8 push ebp; ret	8_2_014574B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 13_2_010F27CC push cs; ret	13_2_010F27D6
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_024F27CC push cs; ret	15_2_024F27D6

Source: initial sample	Static PE information: section name: .text entropy: 7.17998377305
Source: initial sample	Static PE information: section name: .text entropy: 7.17998377305

Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	File created: C:\Users\user\AppData\Roaming\gKpxRZsP.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Source: Yara match	File source: 00000000.00000002.244648700.000000000336A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe PID: 6180, type: MEMORY

Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.244648700.000000000336A000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe, 00000000.00000002.244648700.000000000336A000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5983	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1366	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5210	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1586	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: threadDelayed 407
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 907

Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe TID: 6280	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe TID: 6184	Thread sleep time: -102107s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\741B26251FA1FBA9C4D5EB7AACA544F07859F82C296B8.exe TID: 6264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5872	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6668	Thread sleep count: 5210 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6672	Thread sleep count: 1586 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2892	Thread sleep time: -922337203685477s >= -30000s