Analysis Report PO #KV18RE001-A5491.exe

Overview

General Information

Sample Name: PO #KV18RE001-A5491.exe
Analysis ID: 411850
MD5: 9d9cb0f32a77d7d81296095768d3583e
SHA1: 8386cdbc85faede7527aa83b4646dff3f9edc910
SHA256: 0cbbdd2c9615f4d2de4e0232ace6b69889a54538444838ac6616a5aa39109c98
Tags: exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected Nanocore RAT
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Direct Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\ammero.exe Avira: detection malicious, Label: TR/Spy.Gen8
Found malware configuration
Source: 00000011.00000002.495140225.0000000003719000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ed3103ae-73a9-4ea2-b0ca-9ce4d3e3", "Group": "POOKIE", "Domain1": "79.134.225.91", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Source: 16.2.ammero.exe.9e0000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "aammorris@askoblue.comoffice12#smtp.privateemail.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ammero.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Roaming\googles.exe Metadefender: Detection: 20% Perma Link
Source: C:\Users\user\AppData\Roaming\googles.exe ReversingLabs: Detection: 38%
Multi AV Scanner detection for submitted file
Source: PO #KV18RE001-A5491.exe Virustotal: Detection: 33% Perma Link
Source: PO #KV18RE001-A5491.exe Metadefender: Detection: 20% Perma Link
Source: PO #KV18RE001-A5491.exe ReversingLabs: Detection: 38%
Yara detected Nanocore RAT
Source: Yara match File source: 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.306129386.000000000454E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.477862066.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.495140225.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502994681.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502813497.0000000004407000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.271257920.00000000045D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.501438329.0000000005DC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO #KV18RE001-A5491.exe PID: 5580, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5476, type: MEMORY
Source: Yara match File source: 17.2.InstallUtil.exe.371b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.447a1d2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46339b2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.447a1d2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44ace01.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46665e1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46339b2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.45fd531.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.5dc0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.37205c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.3724bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.5dc0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44e3260.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.37205c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.5dc4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.4409510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\googles.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ammero.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PO #KV18RE001-A5491.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 17.2.InstallUtil.exe.5dc0000.11.unpack Avira: Label: TR/NanoCore.fadte
Source: 17.2.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: PO #KV18RE001-A5491.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
Source: PO #KV18RE001-A5491.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PO #KV18RE001-A5491.exe, 00000000.00000003.268720921.00000000016DB000.00000004.00000001.sdmp, InstallUtil.exe, 00000011.00000002.478744481.0000000000482000.00000002.00020000.sdmp, InstallUtil.exe, 00000016.00000002.358869888.00000000005F2000.00000002.00020000.sdmp, dhcpmon.exe, 00000018.00000000.361931219.00000000007A2000.00000002.00020000.sdmp, dhcpmon.exe, 0000001A.00000000.378776291.00000000009D2000.00000002.00020000.sdmp, dhcpmon.exe.17.dr
Source: Binary string: InstallUtil.pdb source: PO #KV18RE001-A5491.exe, 00000000.00000003.268720921.00000000016DB000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe, 00000016.00000002.358869888.00000000005F2000.00000002.00020000.sdmp, dhcpmon.exe, 00000018.00000000.361931219.00000000007A2000.00000002.00020000.sdmp, dhcpmon.exe, 0000001A.00000000.378776291.00000000009D2000.00000002.00020000.sdmp, dhcpmon.exe.17.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 4x nop then jmp 065064F9h 0_2_06505C69
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_0650F898
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_06F581BB
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 7_2_05D3F8A0
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 4x nop then jmp 05D36629h 7_2_05D35D83
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 4x nop then jmp 05D36629h 7_2_05D35DB0
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 7_2_05D3F890

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: 79.134.225.91
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49691 -> 79.134.225.91:4488
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.134.225.91 79.134.225.91
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: unknown TCP traffic detected without corresponding DNS query: 79.134.225.91
Source: ammero.exe, 00000010.00000002.489309809.0000000003011000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: ammero.exe, 00000010.00000002.489309809.0000000003011000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: ammero.exe, 00000010.00000002.489309809.0000000003011000.00000004.00000001.sdmp String found in binary or memory: http://MFWCde.com
Source: googles.exe, 00000007.00000002.488779548.00000000015C6000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: googles.exe, 00000007.00000002.488779548.00000000015C6000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: googles.exe, 00000007.00000002.489117933.0000000001603000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: PO #KV18RE001-A5491.exe, 00000000.00000003.235475401.00000000016BA000.00000004.00000001.sdmp, googles.exe, 00000007.00000002.489117933.0000000001603000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: PO #KV18RE001-A5491.exe, 00000000.00000003.232494092.00000000076DA000.00000004.00000001.sdmp, PO #KV18RE001-A5491.exe, 00000000.00000003.297857855.00000000076E1000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: googles.exe, 00000007.00000003.296832321.00000000075FA000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1j
Source: PO #KV18RE001-A5491.exe, 00000000.00000003.232494092.00000000076DA000.00000004.00000001.sdmp, PO #KV18RE001-A5491.exe, 00000000.00000003.297857855.00000000076E1000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: googles.exe, 00000007.00000003.296832321.00000000075FA000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/gj
Source: PO #KV18RE001-A5491.exe, 00000000.00000003.232494092.00000000076DA000.00000004.00000001.sdmp, PO #KV18RE001-A5491.exe, 00000000.00000003.297857855.00000000076E1000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: googles.exe, 00000007.00000003.296832321.00000000075FA000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobjj
Source: PO #KV18RE001-A5491.exe, 00000000.00000003.235475401.00000000016BA000.00000004.00000001.sdmp, googles.exe, 00000007.00000002.489117933.0000000001603000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: googles.exe, 00000007.00000002.489117933.0000000001603000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: googles.exe, 00000007.00000002.489117933.0000000001603000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: googles.exe, 00000007.00000002.488779548.00000000015C6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: googles.exe, 00000007.00000002.488779548.00000000015C6000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: googles.exe, 0000000F.00000002.328049985.0000000003362000.00000004.00000001.sdmp, googles.exe, 0000000F.00000002.328086949.0000000003378000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: PO #KV18RE001-A5491.exe, 00000000.00000002.300286762.00000000033F1000.00000004.00000001.sdmp, googles.exe, 00000007.00000002.491630441.0000000003401000.00000004.00000001.sdmp, googles.exe, 0000000F.00000002.328020119.0000000003331000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ammero.exe, 00000010.00000002.489309809.0000000003011000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: googles.exe, 00000007.00000002.489117933.0000000001603000.00000004.00000020.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: PO #KV18RE001-A5491.exe, 00000000.00000002.300286762.00000000033F1000.00000004.00000001.sdmp, googles.exe, 00000007.00000002.491630441.0000000003401000.00000004.00000001.sdmp, googles.exe, 0000000F.00000002.328020119.0000000003331000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: PO #KV18RE001-A5491.exe, 00000000.00000002.300286762.00000000033F1000.00000004.00000001.sdmp, googles.exe, 00000007.00000002.491630441.0000000003401000.00000004.00000001.sdmp, googles.exe, 0000000F.00000002.328020119.0000000003331000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: PO #KV18RE001-A5491.exe, 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, googles.exe, 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, ammero.exe, ammero.exe.7.dr String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: ammero.exe, 00000010.00000002.489309809.0000000003011000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: googles.exe, 00000007.00000002.488161652.0000000001559000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Roaming\ammero.exe Window created: window name: CLIPBRDWNDCLASS
Installs a raw input device (often for capturing keystrokes)
Source: InstallUtil.exe, 00000011.00000002.495140225.0000000003719000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.306129386.000000000454E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.477862066.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.495140225.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502994681.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502813497.0000000004407000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.271257920.00000000045D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.501438329.0000000005DC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO #KV18RE001-A5491.exe PID: 5580, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5476, type: MEMORY
Source: Yara match File source: 17.2.InstallUtil.exe.371b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.447a1d2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46339b2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.447a1d2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44ace01.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46665e1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46339b2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.45fd531.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.5dc0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.37205c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.3724bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.5dc0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44e3260.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.37205c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.5dc4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.4409510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.306129386.000000000454E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.306129386.000000000454E000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.477862066.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.477862066.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.495140225.0000000003719000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.502994681.0000000004561000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.502994681.0000000004561000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.502813497.0000000004407000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.502813497.0000000004407000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.271257920.00000000045D8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.271257920.00000000045D8000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.500714113.0000000005020000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.501438329.0000000005DC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PO #KV18RE001-A5491.exe PID: 5580, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PO #KV18RE001-A5491.exe PID: 5580, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: InstallUtil.exe PID: 5476, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: InstallUtil.exe PID: 5476, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.InstallUtil.exe.371b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.InstallUtil.exe.371b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.googles.exe.447a1d2.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.googles.exe.447a1d2.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.googles.exe.46339b2.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.googles.exe.46339b2.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.googles.exe.447a1d2.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.googles.exe.447a1d2.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.googles.exe.44ace01.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.googles.exe.44ace01.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.googles.exe.46665e1.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.googles.exe.46665e1.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.googles.exe.46339b2.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.googles.exe.46339b2.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.googles.exe.45fd531.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.googles.exe.45fd531.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.InstallUtil.exe.5dc0000.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.InstallUtil.exe.37205c4.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.InstallUtil.exe.5020000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.InstallUtil.exe.3724bed.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.InstallUtil.exe.5dc0000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.googles.exe.44e3260.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.googles.exe.44e3260.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.InstallUtil.exe.37205c4.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.InstallUtil.exe.5dc4629.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.googles.exe.4409510.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.googles.exe.4409510.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large array initializations
Source: PO #KV18RE001-A5491.exe, b6YF/e9R5.cs Large array initialization: .cctor: array initializer size 9606
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F91DC CreateProcessAsUserW, 7_2_072F91DC
Detected potential crypto function
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_0337D378 0_2_0337D378
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06507758 0_2_06507758
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06504148 0_2_06504148
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06505C69 0_2_06505C69
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06506511 0_2_06506511
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06506520 0_2_06506520
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06507C60 0_2_06507C60
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06501B58 0_2_06501B58
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06501B4A 0_2_06501B4A
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06F55EB0 0_2_06F55EB0
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06F55EAB 0_2_06F55EAB
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06F54CD0 0_2_06F54CD0
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06F54CC0 0_2_06F54CC0
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_06F54C78 0_2_06F54C78
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_0183C758 7_2_0183C758
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_0183D378 7_2_0183D378
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D36650 7_2_05D36650
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D36641 7_2_05D36641
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D34278 7_2_05D34278
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D34269 7_2_05D34269
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D37D9D 7_2_05D37D9D
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D35DB0 7_2_05D35DB0
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D37DA0 7_2_05D37DA0
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D3BF58 7_2_05D3BF58
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D31B58 7_2_05D31B58
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D31B4B 7_2_05D31B4B
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F9700 7_2_072F9700
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072FBF00 7_2_072FBF00
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F3F10 7_2_072F3F10
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F2798 7_2_072F2798
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F5238 7_2_072F5238
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F7428 7_2_072F7428
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F3468 7_2_072F3468
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F6CF8 7_2_072F6CF8
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F3F01 7_2_072F3F01
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F2788 7_2_072F2788
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F522A 7_2_072F522A
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072FA218 7_2_072FA218
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F8640 7_2_072F8640
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F8650 7_2_072F8650
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F8AB7 7_2_072F8AB7
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F96F0 7_2_072F96F0
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072FBEF0 7_2_072FBEF0
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F8AC8 7_2_072F8AC8
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072FCAD0 7_2_072FCAD0
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072FADA8 7_2_072FADA8
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F0006 7_2_072F0006
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F7418 7_2_072F7418
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F0040 7_2_072F0040
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F3458 7_2_072F3458
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_072F6CE8 7_2_072F6CE8
Source: C:\Users\user\AppData\Roaming\ammero.exe Code function: 16_2_02E446A0 16_2_02E446A0
Source: C:\Users\user\AppData\Roaming\ammero.exe Code function: 16_2_02E44630 16_2_02E44630
Source: C:\Users\user\AppData\Roaming\ammero.exe Code function: 16_2_02E445B0 16_2_02E445B0
Source: C:\Users\user\AppData\Roaming\ammero.exe Code function: 16_2_02E4D301 16_2_02E4D301
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 17_2_004820B0 17_2_004820B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 17_2_04C3E480 17_2_04C3E480
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 17_2_04C3E471 17_2_04C3E471
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 17_2_04C3BBD4 17_2_04C3BBD4
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 17_2_06180040 17_2_06180040
Sample file is different than original file name gathered from version info
Source: PO #KV18RE001-A5491.exe Binary or memory string: OriginalFilename vs PO #KV18RE001-A5491.exe
Source: PO #KV18RE001-A5491.exe, 00000000.00000000.209068942.00000000010F3000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAABBA.exe@ vs PO #KV18RE001-A5491.exe
Source: PO #KV18RE001-A5491.exe, 00000000.00000002.308551963.0000000007B20000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PO #KV18RE001-A5491.exe
Source: PO #KV18RE001-A5491.exe, 00000000.00000002.308551963.0000000007B20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO #KV18RE001-A5491.exe
Source: PO #KV18RE001-A5491.exe, 00000000.00000002.305645909.00000000043F7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO #KV18RE001-A5491.exe
Source: PO #KV18RE001-A5491.exe, 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamekTxZZsFogLqcfVfqFGabTdrZoQRJoQwA.exe4 vs PO #KV18RE001-A5491.exe
Source: PO #KV18RE001-A5491.exe, 00000000.00000003.268720921.00000000016DB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInstallUtil.exeT vs PO #KV18RE001-A5491.exe
Source: PO #KV18RE001-A5491.exe, 00000000.00000002.308294344.0000000007AC0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PO #KV18RE001-A5491.exe
Source: PO #KV18RE001-A5491.exe, 00000000.00000002.307227260.0000000006E70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PO #KV18RE001-A5491.exe
Source: PO #KV18RE001-A5491.exe Binary or memory string: OriginalFilenameAABBA.exe@ vs PO #KV18RE001-A5491.exe
Uses 32bit PE files
Source: PO #KV18RE001-A5491.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'googles' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\googles.exe'
Yara signature match
Source: 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.306129386.000000000454E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.306129386.000000000454E000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.477862066.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.477862066.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.495140225.0000000003719000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.502994681.0000000004561000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.502994681.0000000004561000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.502813497.0000000004407000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.502813497.0000000004407000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.271257920.00000000045D8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.271257920.00000000045D8000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.500714113.0000000005020000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.500714113.0000000005020000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.501438329.0000000005DC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.501438329.0000000005DC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: PO #KV18RE001-A5491.exe PID: 5580, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PO #KV18RE001-A5491.exe PID: 5580, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: InstallUtil.exe PID: 5476, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: InstallUtil.exe PID: 5476, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.InstallUtil.exe.371b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.InstallUtil.exe.371b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.InstallUtil.exe.371b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.googles.exe.447a1d2.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.googles.exe.447a1d2.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.googles.exe.447a1d2.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.googles.exe.46339b2.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.googles.exe.46339b2.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.googles.exe.46339b2.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.googles.exe.447a1d2.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.googles.exe.447a1d2.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.googles.exe.44ace01.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.googles.exe.44ace01.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.googles.exe.46665e1.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.googles.exe.46665e1.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.googles.exe.46339b2.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.googles.exe.46339b2.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.googles.exe.45fd531.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.googles.exe.45fd531.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.InstallUtil.exe.5dc0000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.InstallUtil.exe.5dc0000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.InstallUtil.exe.37205c4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.InstallUtil.exe.37205c4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.InstallUtil.exe.5020000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.InstallUtil.exe.5020000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.InstallUtil.exe.3724bed.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.InstallUtil.exe.3724bed.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.InstallUtil.exe.5dc0000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.InstallUtil.exe.5dc0000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.googles.exe.44e3260.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.googles.exe.44e3260.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.googles.exe.44e3260.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.InstallUtil.exe.37205c4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.InstallUtil.exe.37205c4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.InstallUtil.exe.5dc4629.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.InstallUtil.exe.5dc4629.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.googles.exe.4409510.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.googles.exe.4409510.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.googles.exe.4409510.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: classification engine Classification label: mal100.troj.evad.winEXE@25/16@0/2
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Program Files (x86)\DHCP Monitor
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe File created: C:\Users\user\AppData\Roaming\googles.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1048:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2428:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{ed3103ae-73a9-4ea2-b0ca-9ce4d3e33b39}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3864:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:492:120:WilError_01
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: PO #KV18RE001-A5491.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ammero.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\ammero.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PO #KV18RE001-A5491.exe Virustotal: Detection: 33%
Source: PO #KV18RE001-A5491.exe Metadefender: Detection: 20%
Source: PO #KV18RE001-A5491.exe ReversingLabs: Detection: 38%
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe File read: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe 'C:\Users\user\Desktop\PO #KV18RE001-A5491.exe'
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'googles' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\googles.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'googles' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\googles.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\googles.exe 'C:\Users\user\AppData\Roaming\googles.exe'
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process created: C:\Users\user\AppData\Roaming\googles.exe 'C:\Users\user\AppData\Roaming\googles.exe'
Source: C:\Users\user\AppData\Roaming\googles.exe Process created: C:\Users\user\AppData\Roaming\ammero.exe 'C:\Users\user\AppData\Roaming\ammero.exe'
Source: C:\Users\user\AppData\Roaming\googles.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp460B.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp48BB.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe 0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'googles' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\googles.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process created: C:\Users\user\AppData\Roaming\googles.exe 'C:\Users\user\AppData\Roaming\googles.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'googles' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\googles.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process created: C:\Users\user\AppData\Roaming\ammero.exe 'C:\Users\user\AppData\Roaming\ammero.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp460B.tmp'
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp48BB.tmp'
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO #KV18RE001-A5491.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO #KV18RE001-A5491.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: PO #KV18RE001-A5491.exe Static file information: File size 1270784 > 1048576
Source: PO #KV18RE001-A5491.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x125200
Source: PO #KV18RE001-A5491.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PO #KV18RE001-A5491.exe, 00000000.00000003.268720921.00000000016DB000.00000004.00000001.sdmp, InstallUtil.exe, 00000011.00000002.478744481.0000000000482000.00000002.00020000.sdmp, InstallUtil.exe, 00000016.00000002.358869888.00000000005F2000.00000002.00020000.sdmp, dhcpmon.exe, 00000018.00000000.361931219.00000000007A2000.00000002.00020000.sdmp, dhcpmon.exe, 0000001A.00000000.378776291.00000000009D2000.00000002.00020000.sdmp, dhcpmon.exe.17.dr
Source: Binary string: InstallUtil.pdb source: PO #KV18RE001-A5491.exe, 00000000.00000003.268720921.00000000016DB000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe, 00000016.00000002.358869888.00000000005F2000.00000002.00020000.sdmp, dhcpmon.exe, 00000018.00000000.361931219.00000000007A2000.00000002.00020000.sdmp, dhcpmon.exe, 0000001A.00000000.378776291.00000000009D2000.00000002.00020000.sdmp, dhcpmon.exe.17.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Code function: 0_2_00FE6CC5 push cs; ret 0_2_00FE6CCD
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_00E06CC5 push cs; ret 7_2_00E06CCD
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D38602 push E912515Eh; ret 7_2_05D38609
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D39DE3 push E804CF5Eh; retf 7_2_05D39E01
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 7_2_05D39E02 push E803D85Eh; ret 7_2_05D39E09
Source: C:\Users\user\AppData\Roaming\googles.exe Code function: 15_2_00D66CC5 push cs; ret 15_2_00D66CCD
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 17_2_04C3E471 push ebx; mov dword ptr [esp], 5504C5D5h 17_2_04C3E47A
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 17_2_04C3E0D8 push ecx; mov dword ptr [esp], 55025597h 17_2_04C3E0EA
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 17_2_04C3C078 push ds; retf 17_2_04C3C0AE
Source: PO #KV18RE001-A5491.exe, Gd7/Wt2.cs High entropy of concatenated method names: '.ctor', 'So1', 'g7H', 'q7B', 'j5G', 'n1L', 'a4G', 'Gn3', 'Ap4', 'Cb0'
Source: PO #KV18RE001-A5491.exe, Qd7c/e5TX.cs High entropy of concatenated method names: '.ctor', 'g9PJ', 'g4QG', 'n7B2', 'He2c', 'Hq98', 'p8YG', 'Dz75', 't9JF', 'Hs1m'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe File created: C:\Users\user\AppData\Roaming\googles.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\googles.exe File created: C:\Users\user\AppData\Roaming\ammero.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp460B.tmp'
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run googles Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run googles Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe File opened: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe File opened: C:\Users\user\AppData\Roaming\googles.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Temp\InstallUtil.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ammero.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\ammero.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\ammero.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Roaming\googles.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ammero.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Window / User API: threadDelayed 7252 Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Window / User API: threadDelayed 2283 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Window / User API: threadDelayed 3306 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Window / User API: threadDelayed 6387 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ammero.exe Window / User API: threadDelayed 1867
Source: C:\Users\user\AppData\Roaming\ammero.exe Window / User API: threadDelayed 7923
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 6702
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 2854
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe TID: 5656 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe TID: 5564 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe TID: 5572 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe TID: 6084 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe TID: 204 Thread sleep count: 3306 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe TID: 204 Thread sleep count: 6387 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe TID: 2168 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe TID: 1256 Thread sleep count: 84 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe TID: 1256 Thread sleep count: 140 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe TID: 1180 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe TID: 5860 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ammero.exe TID: 2288 Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Users\user\AppData\Roaming\ammero.exe TID: 64 Thread sleep count: 1867 > 30
Source: C:\Users\user\AppData\Roaming\ammero.exe TID: 64 Thread sleep count: 7923 > 30
Source: C:\Users\user\AppData\Roaming\ammero.exe TID: 2288 Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4868 Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5224 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5572 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3704 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\ammero.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ammero.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: reg.exe, 00000003.00000002.238586747.0000000003610000.00000002.00000001.sdmp, googles.exe, 00000007.00000002.504912111.00000000063C0000.00000002.00000001.sdmp, googles.exe, 0000000F.00000002.329073080.0000000006390000.00000002.00000001.sdmp, ammero.exe, 00000010.00000002.498184394.0000000005E50000.00000002.00000001.sdmp, InstallUtil.exe, 00000011.00000002.501927850.0000000006790000.00000002.00000001.sdmp, InstallUtil.exe, 00000016.00000002.363387209.0000000004FB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.368041569.0000000004FD0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: reg.exe, 00000003.00000002.238586747.0000000003610000.00000002.00000001.sdmp, googles.exe, 00000007.00000002.504912111.00000000063C0000.00000002.00000001.sdmp, googles.exe, 0000000F.00000002.329073080.0000000006390000.00000002.00000001.sdmp, ammero.exe, 00000010.00000002.498184394.0000000005E50000.00000002.00000001.sdmp, InstallUtil.exe, 00000011.00000002.501927850.0000000006790000.00000002.00000001.sdmp, InstallUtil.exe, 00000016.00000002.363387209.0000000004FB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.368041569.0000000004FD0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reg.exe, 00000003.00000002.238586747.0000000003610000.00000002.00000001.sdmp, googles.exe, 00000007.00000002.504912111.00000000063C0000.00000002.00000001.sdmp, googles.exe, 0000000F.00000002.329073080.0000000006390000.00000002.00000001.sdmp, ammero.exe, 00000010.00000002.498184394.0000000005E50000.00000002.00000001.sdmp, InstallUtil.exe, 00000011.00000002.501927850.0000000006790000.00000002.00000001.sdmp, InstallUtil.exe, 00000016.00000002.363387209.0000000004FB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.368041569.0000000004FD0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: googles.exe, 00000007.00000002.488779548.00000000015C6000.00000004.00000020.sdmp, InstallUtil.exe, 00000011.00000002.480313831.0000000000ABD000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: reg.exe, 00000003.00000002.238586747.0000000003610000.00000002.00000001.sdmp, googles.exe, 00000007.00000002.504912111.00000000063C0000.00000002.00000001.sdmp, googles.exe, 0000000F.00000002.329073080.0000000006390000.00000002.00000001.sdmp, ammero.exe, 00000010.00000002.498184394.0000000005E50000.00000002.00000001.sdmp, InstallUtil.exe, 00000011.00000002.501927850.0000000006790000.00000002.00000001.sdmp, InstallUtil.exe, 00000016.00000002.363387209.0000000004FB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.368041569.0000000004FD0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\ammero.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\googles.exe Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\googles.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\googles.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 69C008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'googles' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\googles.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Process created: C:\Users\user\AppData\Roaming\googles.exe 'C:\Users\user\AppData\Roaming\googles.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'googles' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\googles.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process created: C:\Users\user\AppData\Roaming\ammero.exe 'C:\Users\user\AppData\Roaming\ammero.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp460B.tmp'
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp48BB.tmp'
Source: googles.exe, 00000007.00000002.491040657.0000000001EE0000.00000002.00000001.sdmp, ammero.exe, 00000010.00000002.487186041.0000000001850000.00000002.00000001.sdmp, InstallUtil.exe, 00000011.00000002.501868571.000000000664E000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: googles.exe, 00000007.00000002.491040657.0000000001EE0000.00000002.00000001.sdmp, ammero.exe, 00000010.00000002.487186041.0000000001850000.00000002.00000001.sdmp, InstallUtil.exe, 00000011.00000002.481849848.00000000010F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: googles.exe, 00000007.00000002.491040657.0000000001EE0000.00000002.00000001.sdmp, ammero.exe, 00000010.00000002.487186041.0000000001850000.00000002.00000001.sdmp, InstallUtil.exe, 00000011.00000002.481849848.00000000010F0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: googles.exe, 00000007.00000002.491040657.0000000001EE0000.00000002.00000001.sdmp, ammero.exe, 00000010.00000002.487186041.0000000001850000.00000002.00000001.sdmp, InstallUtil.exe, 00000011.00000002.481849848.00000000010F0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Queries volume information: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Users\user\AppData\Roaming\googles.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Users\user\AppData\Roaming\googles.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\googles.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ammero.exe Queries volume information: C:\Users\user\AppData\Roaming\ammero.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ammero.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ammero.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ammero.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ammero.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ammero.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ammero.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ammero.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Users\user\Desktop\PO #KV18RE001-A5491.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.340634193.00000000009E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502994681.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.477797620.00000000009E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.271257920.00000000045D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\ammero.exe, type: DROPPED
Source: Yara match File source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.ammero.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.447a1d2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44ace01.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46665e1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46665e1.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46339b2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44ace01.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.45fd531.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.45fd531.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.ammero.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.340634193.00000000009E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502994681.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.477797620.00000000009E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.489309809.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.271257920.00000000045D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO #KV18RE001-A5491.exe PID: 5580, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\ammero.exe, type: DROPPED
Source: Yara match File source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.ammero.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.447a1d2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44ace01.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46665e1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46665e1.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46339b2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44ace01.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.45fd531.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.45fd531.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.ammero.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.raw.unpack, type: UNPACKEDPE
Yara detected Nanocore RAT
Source: Yara match File source: 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.306129386.000000000454E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.477862066.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.495140225.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502994681.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502813497.0000000004407000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.271257920.00000000045D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.501438329.0000000005DC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO #KV18RE001-A5491.exe PID: 5580, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5476, type: MEMORY
Source: Yara match File source: 17.2.InstallUtil.exe.371b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.447a1d2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46339b2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.447a1d2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44ace01.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46665e1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46339b2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.45fd531.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.5dc0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.37205c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.3724bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.5dc0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44e3260.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.37205c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.5dc4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.4409510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.raw.unpack, type: UNPACKEDPE
Yara detected Credential Stealer
Source: Yara match File source: 00000010.00000002.489309809.0000000003011000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: PO #KV18RE001-A5491.exe, 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: googles.exe, 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000011.00000002.487174803.0000000002729000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000011.00000002.487174803.0000000002729000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.340634193.00000000009E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502994681.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.477797620.00000000009E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.271257920.00000000045D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\ammero.exe, type: DROPPED
Source: Yara match File source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.ammero.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.447a1d2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44ace01.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46665e1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46665e1.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46339b2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44ace01.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.45fd531.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.45fd531.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.ammero.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.340634193.00000000009E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502994681.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.477797620.00000000009E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.489309809.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.271257920.00000000045D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO #KV18RE001-A5491.exe PID: 5580, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\ammero.exe, type: DROPPED
Source: Yara match File source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.ammero.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.447a1d2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44ace01.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46665e1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46665e1.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46339b2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44ace01.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.45fd531.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.45fd531.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.ammero.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.raw.unpack, type: UNPACKEDPE
Yara detected Nanocore RAT
Source: Yara match File source: 00000007.00000002.502894900.000000000447A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.306129386.000000000454E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.477862066.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.495140225.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502994681.0000000004561000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305699284.0000000004467000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.502813497.0000000004407000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.271257920.00000000045D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.501438329.0000000005DC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO #KV18RE001-A5491.exe PID: 5580, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5476, type: MEMORY
Source: Yara match File source: 17.2.InstallUtil.exe.371b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.447a1d2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44e3260.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46339b2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.447a1d2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44ace01.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46665e1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.46339b2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.45fd531.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.45eab19.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4620f9a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.5dc0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.37205c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.449a3e9.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.3724bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.5dc0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44d0848.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.44e3260.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.44677ba.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.37205c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO #KV18RE001-A5491.exe.45b7eea.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.5dc4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.googles.exe.4409510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.PO #KV18RE001-A5491.exe.4653bc9.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411850 Sample: PO #KV18RE001-A5491.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 8 other signatures 2->74 8 googles.exe 14 4 2->8         started        13 PO #KV18RE001-A5491.exe 15 7 2->13         started        15 InstallUtil.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 66 192.168.2.1 unknown unknown 8->66 54 C:\Users\user\AppData\Roaming\ammero.exe, PE32 8->54 dropped 88 Multi AV Scanner detection for dropped file 8->88 90 Machine Learning detection for dropped file 8->90 92 Writes to foreign memory regions 8->92 96 2 other signatures 8->96 19 ammero.exe 8->19         started        22 InstallUtil.exe 8->22         started        56 C:\Users\user\AppData\Roaming\googles.exe, PE32 13->56 dropped 58 C:\Users\user\AppData\...\InstallUtil.exe, PE32 13->58 dropped 60 C:\Users\user\...\googles.exe:Zone.Identifier, ASCII 13->60 dropped 62 C:\Users\user\...\PO #KV18RE001-A5491.exe.log, ASCII 13->62 dropped 94 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->94 26 cmd.exe 1 13->26         started        28 googles.exe 3 13->28         started        30 conhost.exe 15->30         started        32 conhost.exe 17->32         started        34 conhost.exe 17->34         started        file5 signatures6 process7 dnsIp8 76 Antivirus detection for dropped file 19->76 78 Multi AV Scanner detection for dropped file 19->78 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->80 86 2 other signatures 19->86 64 79.134.225.91, 4488, 49691, 49692 FINK-TELECOM-SERVICESCH Switzerland 22->64 48 C:\Users\user\AppData\Roaming\...\run.dat, International 22->48 dropped 50 C:\Users\user\AppData\Local\...\tmp460B.tmp, XML 22->50 dropped 52 C:\Program Files (x86)\...\dhcpmon.exe, PE32 22->52 dropped 82 Uses schtasks.exe or at.exe to add and modify task schedules 22->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->84 36 schtasks.exe 22->36         started        38 schtasks.exe 22->38         started        40 conhost.exe 26->40         started        42 reg.exe 1 1 26->42         started        file9 signatures10 process11 process12 44 conhost.exe 36->44         started        46 conhost.exe 38->46         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.134.225.91
 unknown Switzerland
6775 FINK-TELECOM-SERVICESCH true

Private
IP
192.168.2.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
true
  • Avira URL Cloud: safe
 low
79.134.225.91 true
  • Avira URL Cloud: safe
 unknown