Analysis Report Devizni izvod za partiju 0050100073053.exe

Overview

General Information

Sample Name: Devizni izvod za partiju 0050100073053.exe
Analysis ID: 411771
MD5: 50ab414be17f4e03bee8f9c5cee06335
SHA1: d0def6e40e7858a1b8c46d46f24a6b29499c7c37
SHA256: 333b1ae9552e6a65ab7c4edee6677746e801ebed73294795b9057e17a0e284e6
Tags: exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000D.00000002.541194418.0000000003D8D000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b90524a1-4a4b-41de-ac06-59066a86", "Group": "Panda", "Domain1": "emedoo.ddns.net", "Domain2": "127.0.0.1", "Port": 5230, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 50, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "emedoo.ddns.net", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Metadefender: Detection: 20% Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Roaming\AGYVBigGPY.exe Metadefender: Detection: 20% Perma Link
Source: C:\Users\user\AppData\Roaming\AGYVBigGPY.exe ReversingLabs: Detection: 48%
Multi AV Scanner detection for submitted file
Source: Devizni izvod za partiju 0050100073053.exe Virustotal: Detection: 65% Perma Link
Source: Devizni izvod za partiju 0050100073053.exe Metadefender: Detection: 20% Perma Link
Source: Devizni izvod za partiju 0050100073053.exe ReversingLabs: Detection: 48%
Yara detected Nanocore RAT
Source: Yara match File source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.541194418.0000000003D8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\AGYVBigGPY.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Devizni izvod za partiju 0050100073053.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack Avira: Label: TR/NanoCore.fadte
Source: 34.2.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: Devizni izvod za partiju 0050100073053.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Devizni izvod za partiju 0050100073053.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.260890521.0000000004BB0000.00000002.00000001.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.545321090.00000000053C0000.00000002.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 2_2_05BD1C58
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 2_2_05BD1C57
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 13_2_061D5670
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 4x nop then mov esp, ebp 13_2_061D4628
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 13_2_061D5660
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 4x nop then mov esp, ebp 13_2_061D4498

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49715 -> 79.134.225.71:5230
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49720 -> 79.134.225.71:5230
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49723 -> 79.134.225.71:5230
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49725 -> 79.134.225.71:5230
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49726 -> 79.134.225.71:5230
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49727 -> 79.134.225.71:5230
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49728 -> 79.134.225.71:5230
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49730 -> 79.134.225.71:5230
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: emedoo.ddns.net
Source: Malware configuration extractor URLs: 127.0.0.1
Uses dynamic DNS services
Source: unknown DNS query: name: emedoo.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49715 -> 79.134.225.71:5230
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.134.225.71 79.134.225.71
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_05092B9A WSARecv, 13_2_05092B9A
Source: unknown DNS traffic detected: queries for: emedoo.ddns.net
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/account/update_profile.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/account/update_profile.xmlQhttp://api.twitter.com/1.1/favorites.xmlghttp:
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/account/update_profile_image.xml
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/account/verify_credentials.xml
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/blocks/blocking.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/blocks/blocking.xmlUhttp://api.twitter.com/1.1/report_spam.xml_http://api
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/blocks/blocking.xmldhttp://api.twitter.com/1.1/blocks/blocking/ids.xml
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/blocks/blocking/ids.xml
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/blocks/create/
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/blocks/destroy/
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/direct_messages.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/direct_messages.xmlghttp://api.twitter.com/1.1/direct_messages/sent.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/direct_messages.xmlthttp://api.twitter.com/1.1/direct_messages/destroy/
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/direct_messages/destroy/
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/direct_messages/new.xml?user=
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/direct_messages/new.xmlfhttp://api.twitter.com/1.1/direct_messages/sent.x
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/direct_messages/sent.xml
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/favorites.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/favorites.xmlXhttp://api.twitter.com/1.1/followers/ids.xmlThttp://api.twi
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/favorites/create/
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/favorites/destroy/
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/followers/ids.xml
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/friends/ids.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/friends/ids.xmlYhttp://api.twitter.com/1.1/followers/ids.xmlshttp://api.t
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/friendships/create/
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/friendships/destroy/
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/friendships/show.xml?
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/report_spam.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/report_spam.xmlJhttp://search.twitter.com/search.atomfhttp://api.twitter.
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/statuses/destroy/
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/statuses/followers.xml
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/statuses/friends.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/statuses/friends.xmlbhttp://api.twitter.com/1.1/statuses/followers.xmlpht
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/statuses/friends_timeline.xml
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/statuses/home_timeline.xml
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/statuses/mentions.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/statuses/mentions.xmlnhttp://api.twitter.com/1.1/statuses/public_timeline
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/statuses/public_timeline.xml
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/statuses/replies.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/statuses/replies.xmlfhttp://api.twitter.com/1.1/statuses/retweet/
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/statuses/retweet/
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/statuses/retweeted_by_me.xml
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/statuses/retweets/id.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/statuses/retweets/id.xml_http://api.twitter.com/1.1/statuses/replies.xmlS
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/statuses/retweets_of_me.xml
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/statuses/show/
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/statuses/update.xml?status=
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/statuses/update.xmljhttp://api.twitter.com/1.1/statuses/user_timeline.xml
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/statuses/user_timeline.xml
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/trends/
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/trends/available.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/trends/available.xmlThttp://api.twitter.com/1.1/trends/
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/users/search.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://api.twitter.com/1.1/users/search.xmlRhttp://api.twitter.com/1.1/users/show.xmlvhttp://api.twi
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://api.twitter.com/1.1/users/show.xml
Source: powershell.exe, 00000003.00000002.530350749.000000000377B000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000009.00000003.496419975.0000000007787000.00000004.00000001.sdmp String found in binary or memory: http://crl.mi
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp String found in binary or memory: http://google.com
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://im.twitvid.com/api/upload
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://im.twitvid.com/api/uploadrhttp://api.twitter.com/1.1/account/verify_credentials.xmljhttp://ap
Source: powershell.exe, 00000005.00000002.543192744.0000000006172000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.430789624.0000000007721000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngH
Source: powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.532843494.0000000004F41000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.532258311.0000000005111000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.534281663.0000000004591000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://search.twitter.com/search.atom
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://search.twitter.com/search.atomKhttp://search.twitter.com/trends.json
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://search.twitter.com/trends.json
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://search.twitter.com/trends/current.json
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://search.twitter.com/trends/current.jsonWhttp://search.twitter.com/trends/daily.jsonYhttp://sea
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://search.twitter.com/trends/daily.json
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://search.twitter.com/trends/weekly.json
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/audio.mp3?id=
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/getContent?id=
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://twic.li/api/getUsersContent?userid=
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/getUsersContent?userid=)&content_type=photos
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/getUsersContent?username=
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/photo.jpg?id=
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://twic.li/api/uploadAudio
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://twic.li/api/uploadAudioAndTweet
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/uploadAudioAndTweetUContent-Disposition:
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/uploadAudioLhttp://twic.li/api/uploadAudioAndTweet:http://twic.li/api/getContentD
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/uploadAudioiContent-disposition:
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://twic.li/api/uploadPhoto
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/uploadPhotoAndTweet
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/uploadPhotoLhttp://twic.li/api/uploadPhotoAndTweet
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/uploadPhotokContent-Disposition:
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/uploadVideo
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/uploadVideoAndTweet
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/uploadVideoLhttp://twic.li/api/uploadVideoAndTweet
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://twic.li/api/video.flv?id=
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twic.li/api/video.flv?id=-No
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://twitter.com/oauth/access_token
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twitter.com/oauth/access_token#?x_auth_username=#&x_auth_password=1&x_auth_mode=client_authUh
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://twitter.com/oauth/request_token
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twitter.com/oauth/request_token-
Source: Devizni izvod za partiju 0050100073053.exe String found in binary or memory: http://twitter.com/statuses/retweeted_to_me.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://twitter.com/statuses/retweeted_to_me.xmlfhttp://api.twitter.com/1.1/statuses/retweets/id.xmll
Source: powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.430789624.0000000007721000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlH
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://yfrog.com/api/uploadAndPost
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: http://yfrog.com/api/uploadAndPostAmultipart/form-data
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: https://api.twitter.com/oauth/access_token
Source: powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.430789624.0000000007721000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/PesterH
Source: powershell.exe, 00000003.00000003.415909540.00000000058E5000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: https://im.twitvid.com/api/authenticate
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp String found in binary or memory: https://im.twitvid.com/api/authenticateCapplication/x-www-form-urlencoded
Source: powershell.exe, 00000005.00000002.543192744.0000000006172000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.541194418.0000000003D8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.552591050.0000000006A50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.546929623.0000000005950000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.546313038.00000000055C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.551440197.0000000006890000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.552438629.0000000006A20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.546995313.00000000059E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.551688994.00000000068C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.551733160.00000000068D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.551056353.0000000006730000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.547173286.0000000005A80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.546044032.0000000005580000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.546082364.0000000005590000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.535153965.0000000002D8C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.545285946.00000000053A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.559e8a4.21.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fd355c.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea8041.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dd69e4.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dd69e4.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2d412c0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc9957.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68c0000.30.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.53a0000.15.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.dhcpmon.exe.2ee3ac8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5594c9f.19.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.2ed14ec.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5a80000.27.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_024D180E NtQuerySystemInformation, 2_2_024D180E
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_024D17DD NtQuerySystemInformation, 2_2_024D17DD
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_050915CE NtQuerySystemInformation, 13_2_050915CE
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_05091593 NtQuerySystemInformation, 13_2_05091593
Detected potential crypto function
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025AEE60 2_2_025AEE60
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025AE7F8 2_2_025AE7F8
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025AE430 2_2_025AE430
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A30F8 2_2_025A30F8
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A10F0 2_2_025A10F0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A08F7 2_2_025A08F7
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A0CA0 2_2_025A0CA0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A2918 2_2_025A2918
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A39EF 2_2_025A39EF
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A19E7 2_2_025A19E7
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A15A0 2_2_025A15A0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A6271 2_2_025A6271
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A1E1F 2_2_025A1E1F
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025AAAC8 2_2_025AAAC8
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025AB2A0 2_2_025AB2A0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025AB748 2_2_025AB748
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A6770 2_2_025A6770
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A676F 2_2_025A676F
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A6B11 2_2_025A6B11
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A13DF 2_2_025A13DF
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A5FD0 2_2_025A5FD0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A5FE0 2_2_025A5FE0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025AC7B0 2_2_025AC7B0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025AC030 2_2_025AC030
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A10E1 2_2_025A10E1
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A0C9F 2_2_025A0C9F
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025AF150 2_2_025AF150
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A5578 2_2_025A5578
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A6570 2_2_025A6570
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A556B 2_2_025A556B
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A6560 2_2_025A6560
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A2915 2_2_025A2915
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025AA530 2_2_025AA530
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A699F 2_2_025A699F
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A69A0 2_2_025A69A0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_05BD19A6 2_2_05BD19A6
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_05BD0006 2_2_05BD0006
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_05BD0070 2_2_05BD0070
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031BC348 3_2_031BC348
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031BF690 3_2_031BF690
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031B95C0 3_2_031B95C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031BDAB0 3_2_031BDAB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031BB9B8 3_2_031BB9B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031B8210 3_2_031B8210
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031B6730 3_2_031B6730
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031B67A8 3_2_031B67A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031B67A7 3_2_031B67A7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031B9DF0 3_2_031B9DF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031BB9B8 3_2_031BB9B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031C0040 3_2_031C0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031CEE30 3_2_031CEE30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031C2EA0 3_2_031C2EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031C2EA0 3_2_031C2EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031CEE30 3_2_031CEE30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031CFB98 3_2_031CFB98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031C2EA0 3_2_031C2EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031CEE30 3_2_031CEE30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031C2EA0 3_2_031C2EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031C2EA0 3_2_031C2EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031C8D53 3_2_031C8D53
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0106E028 5_2_0106E028
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0106F890 5_2_0106F890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0106BD18 5_2_0106BD18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_010F8919 5_2_010F8919
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_010F44CF 5_2_010F44CF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_010F8919 5_2_010F8919
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_010F44CF 5_2_010F44CF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_010F8919 5_2_010F8919
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_010F8919 5_2_010F8919
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_010F8919 5_2_010F8919
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0318C340 5_2_0318C340
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0318F7D0 5_2_0318F7D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0318DBF0 5_2_0318DBF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_031899C0 5_2_031899C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0318BDB8 5_2_0318BDB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_03188210 5_2_03188210
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0318BDB8 5_2_0318BDB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_031867A8 5_2_031867A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_031867A7 5_2_031867A7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_010FE7DB 5_2_010FE7DB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_008CB218 9_2_008CB218
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_008CD300 9_2_008CD300
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_008CF4F7 9_2_008CF4F7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_008CB7A0 9_2_008CB7A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_008C8E20 9_2_008C8E20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_008C6008 9_2_008C6008
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_008CB218 9_2_008CB218
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_008C9650 9_2_008C9650
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_008C7A70 9_2_008C7A70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_008C7EE0 9_2_008C7EE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_008C5FFA 9_2_008C5FFA
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_00F47AC1 13_2_00F47AC1
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_04F63850 13_2_04F63850
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_04F68938 13_2_04F68938
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_04F6B208 13_2_04F6B208
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_04F623A0 13_2_04F623A0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_04F62FA8 13_2_04F62FA8
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_04F6306F 13_2_04F6306F
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_04F695FF 13_2_04F695FF
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_04F69DE0 13_2_04F69DE0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_04F69538 13_2_04F69538
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_061D6E10 13_2_061D6E10
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_061D6210 13_2_061D6210
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_061D2600 13_2_061D2600
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_061D76B8 13_2_061D76B8
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_061D8980 13_2_061D8980
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_061D3200 13_2_061D3200
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_061D9647 13_2_061D9647
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_061D6ED7 13_2_061D6ED7
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_061D32C7 13_2_061D32C7
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_061D7F9B 13_2_061D7F9B
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_061D9580 13_2_061D9580
PE file contains strange resources
Source: Devizni izvod za partiju 0050100073053.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AGYVBigGPY.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233546518.0000000000304000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFXAssembly.exe. vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.258236925.0000000003BD8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.260833469.0000000004B90000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.263221899.00000000058F0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.263832226.00000000059F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.263832226.00000000059F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.260890521.0000000004BB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245540498.0000000000344000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFXAssembly.exe. vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000C.00000002.246917473.00000000004D4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFXAssembly.exe. vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.552591050.0000000006A50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.508512327.0000000000624000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFXAssembly.exe. vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.542047057.0000000003FB7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.542047057.0000000003FB7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.542047057.0000000003FB7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.542047057.0000000003FB7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.545321090.00000000053C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Devizni izvod za partiju 0050100073053.exe
Uses 32bit PE files
Source: Devizni izvod za partiju 0050100073053.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.552591050.0000000006A50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.552591050.0000000006A50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.546929623.0000000005950000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.546929623.0000000005950000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.546313038.00000000055C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.546313038.00000000055C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.551440197.0000000006890000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.551440197.0000000006890000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.552438629.0000000006A20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.552438629.0000000006A20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.546995313.00000000059E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.546995313.00000000059E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.551688994.00000000068C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.551688994.00000000068C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.551733160.00000000068D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.551733160.00000000068D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.551056353.0000000006730000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.551056353.0000000006730000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.547173286.0000000005A80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.547173286.0000000005A80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.546044032.0000000005580000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.546044032.0000000005580000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.546082364.0000000005590000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.546082364.0000000005590000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.535153965.0000000002D8C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.545285946.00000000053A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.545285946.00000000053A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.559e8a4.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.559e8a4.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fd355c.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fd355c.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea8041.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea8041.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dd69e4.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dd69e4.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2d412c0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2d412c0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc9957.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc9957.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68c0000.30.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68c0000.30.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.53a0000.15.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.53a0000.15.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.2.dhcpmon.exe.2ee3ac8.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.2ee3ac8.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5594c9f.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5594c9f.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.dhcpmon.exe.2ed14ec.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.2ed14ec.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5a80000.27.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5a80000.27.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Devizni izvod za partiju 0050100073053.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: AGYVBigGPY.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@35/31@9/2
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_024D114E AdjustTokenPrivileges, 2_2_024D114E
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_024D1117 AdjustTokenPrivileges, 2_2_024D1117
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_0509138E AdjustTokenPrivileges, 13_2_0509138E
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_05091357 AdjustTokenPrivileges, 13_2_05091357
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe File created: C:\Program Files (x86)\DHCP Monitor
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe File created: C:\Users\user\AppData\Roaming\AGYVBigGPY.exe Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Mutant created: \Sessions\1\BaseNamedObjects\FBmlKPsCRkTxrXOa
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_01
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_01
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{b90524a1-4a4b-41de-ac06-59066a861712}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_01
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe File created: C:\Users\user\AppData\Local\Temp\tmp2011.tmp Jump to behavior
Source: Devizni izvod za partiju 0050100073053.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: Devizni izvod za partiju 0050100073053.exe Virustotal: Detection: 65%
Source: Devizni izvod za partiju 0050100073053.exe Metadefender: Detection: 20%
Source: Devizni izvod za partiju 0050100073053.exe ReversingLabs: Detection: 48%
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe File read: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe'
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp2011.tmp'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp864D.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe' Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe' Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp2011.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe' Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp864D.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: Devizni izvod za partiju 0050100073053.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Devizni izvod za partiju 0050100073053.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.260890521.0000000004BB0000.00000002.00000001.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.545321090.00000000053C0000.00000002.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_00C392D9 push ebx; retf 2_2_00C392DA
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_00C36A7C push 6B7000C3h; ret 2_2_00C36B4A
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_00C36B51 push 6B7000C3h; ret 2_2_00C36B4A
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_00C3631D push ebx; retf 2_2_00C3631E
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_00C36B28 push 6B7000C3h; ret 2_2_00C36B4A
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_00C36CC1 push 6CE000C3h; ret 2_2_00C36CBA
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_00C36CB3 push 6CE000C3h; ret 2_2_00C36CBA
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_00C36D79 push 0200C36Dh; ret 2_2_00C36D8E
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A201A pushfd ; iretd 2_2_025A201B
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A902C push esp; ret 2_2_025A902D
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 2_2_025A94FD push ebx; iretd 2_2_025A94FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031B0720 push eax; ret 3_2_031B0733
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_031B06E0 push esp; ret 3_2_031B06B3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_01069000 push eax; mov dword ptr [esp], ecx 5_2_01069014
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_01065B19 push eax; mov dword ptr [esp], edx 5_2_01065B2C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_01065EC0 push eax; mov dword ptr [esp], edx 5_2_01065ED4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_01065ED0 push eax; mov dword ptr [esp], edx 5_2_01065ED4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_03183D72 push esp; retf 5_2_03183D81
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_008C6F52 push es; ret 9_2_008C6F7B
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_00F462D4 push ebx; retf 13_2_00F462D6
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_00F462D1 push ebx; retf 13_2_00F462D2
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_00F4769F push es; ret 13_2_00F476A0
Source: initial sample Static PE information: section name: .text entropy: 7.66159215719
Source: initial sample Static PE information: section name: .text entropy: 7.66159215719

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe File created: C:\Users\user\AppData\Roaming\AGYVBigGPY.exe Jump to dropped file
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp2011.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe File opened: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe:Zone.Identifier read attributes | delete
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.364891578.000000000378B000.00000004.00000001.sdmp, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3086 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4301 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4110 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2946 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3846 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2879 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 785
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 429
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe TID: 4964 Thread sleep time: -102902s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe TID: 2324 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6172 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6172 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5400 Thread sleep count: 4110 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6204 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5400 Thread sleep count: 2946 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3352 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3352 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6156 Thread sleep count: 3846 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6256 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5804 Thread sleep count: 2879 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3272 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3272 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe TID: 6316 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe TID: 6324 Thread sleep time: -37000s >= -30000s
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe TID: 6308 Thread sleep time: -2160000s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6796 Thread sleep time: -100824s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6832 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5412 Thread sleep count: 785 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6532 Thread sleep count: 67 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6696 Thread sleep count: 429 > 30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6720 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_0509101A GetSystemInfo, 13_2_0509101A
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Thread delayed: delay time: 102902 Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 100824
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: powershell.exe, 00000003.00000003.415909540.00000000058E5000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.444940190.0000000005AC7000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp Binary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 00000003.00000003.415909540.00000000058E5000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.444940190.0000000005AC7000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.446464104.0000000004F63000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_04F6F8B8 LdrInitializeThunk, 13_2_04F6F8B8
Enables debug privileges
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe'
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe' Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe' Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe' Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Memory written: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe' Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe' Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp2011.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe' Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp864D.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: powershell.exe, 00000003.00000002.531329214.0000000003B30000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.533165277.0000000003180000.00000002.00000001.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.523845475.0000000001330000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.538916843.0000000002EFF000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: powershell.exe, 00000003.00000002.531329214.0000000003B30000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.533165277.0000000003180000.00000002.00000001.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.523845475.0000000001330000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000003.00000002.531329214.0000000003B30000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.533165277.0000000003180000.00000002.00000001.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.523845475.0000000001330000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.538916843.0000000002EFF000.00000004.00000001.sdmp Binary or memory string: Program ManagerX
Source: powershell.exe, 00000003.00000002.531329214.0000000003B30000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.533165277.0000000003180000.00000002.00000001.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.523845475.0000000001330000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.538916843.0000000002EFF000.00000004.00000001.sdmp Binary or memory string: Program Manager4P

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_0509339A GetSystemTimes, 13_2_0509339A
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.541194418.0000000003D8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Yara detected Nanocore RAT
Source: Yara match File source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.541194418.0000000003D8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_050926DE bind, 13_2_050926DE
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe Code function: 13_2_0509268C bind, 13_2_0509268C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411771 Sample: Devizni izvod za partiju 00... Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 13 other signatures 2->70 7 Devizni izvod za partiju 0050100073053.exe 7 2->7         started        11 dhcpmon.exe 2->11         started        process3 file4 46 C:\Users\user\AppData\...\AGYVBigGPY.exe, PE32 7->46 dropped 48 C:\Users\...\AGYVBigGPY.exe:Zone.Identifier, ASCII 7->48 dropped 50 C:\Users\user\AppData\Local\...\tmp2011.tmp, XML 7->50 dropped 52 Devizni izvod za p...50100073053.exe.log, ASCII 7->52 dropped 72 Adds a directory exclusion to Windows Defender 7->72 74 Injects a PE file into a foreign processes 7->74 13 Devizni izvod za partiju 0050100073053.exe 7->13         started        18 powershell.exe 22 7->18         started        20 powershell.exe 25 7->20         started        28 4 other processes 7->28 22 powershell.exe 11->22         started        24 schtasks.exe 11->24         started        26 powershell.exe 11->26         started        30 3 other processes 11->30 signatures5 process6 dnsIp7 60 emedoo.ddns.net 79.134.225.71, 49715, 49720, 49723 FINK-TELECOM-SERVICESCH Switzerland 13->60 62 192.168.2.1 unknown unknown 13->62 54 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->54 dropped 56 C:\Users\user\AppData\Roaming\...\run.dat, data 13->56 dropped 58 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->58 dropped 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->76 32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 28->44         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.134.225.71
 emedoo.ddns.net Switzerland
6775 FINK-TELECOM-SERVICESCH true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
emedoo.ddns.net 79.134.225.71 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
emedoo.ddns.net true
  • Avira URL Cloud: safe
 unknown
127.0.0.1 true
  • Avira URL Cloud: safe
 unknown