Play interactive tour

Edit tour

Analysis Report xtxr8lHa5F.exe

Overview

General Information

Sample Name:	xtxr8lHa5F.exe
Analysis ID:	432024
MD5:	c89c05d0f2853fa30b535aa2544006e5
SHA1:	2e3a6adc296d26732a3c61ac761052b8793f7da0
SHA256:	b2ec2e506bc9741873e39cc6fdc07802a1180136657582ae807d5f6112cfc02a
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

xtxr8lHa5F.exe (PID: 5352 cmdline: 'C:\Users\user\Desktop\xtxr8lHa5F.exe' MD5: C89C05D0F2853FA30B535AA2544006E5)

schtasks.exe (PID: 3696 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rOKWrJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp76E9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 5260 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)

MSBuild.exe (PID: 5268 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)

schtasks.exe (PID: 5020 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp604E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 3564 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6502.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 3508 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0 MD5: D621FD77BD585874F9686D3A76462EF1)

conhost.exe (PID: 1648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 1180 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: D621FD77BD585874F9686D3A76462EF1)

conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 3776 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: D621FD77BD585874F9686D3A76462EF1)

conhost.exe (PID: 996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ab394965-c5ce-4154-ad1c-da01ecc2", "Group": "Mamie", "Domain1": "82.64.141.173", "Domain2": "82.64.141.173", "Port": 6666, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.490523889.0000000006A00000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000013.00000002.490523889.0000000006A00000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000013.00000002.490241521.0000000006970000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000013.00000002.490241521.0000000006970000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000013.00000002.490432497.00000000069E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000013.00000002.490432497.00000000069E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000013.00000002.490460540.00000000069F0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000013.00000002.490460540.00000000069F0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000013.00000002.490307408.0000000006990000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000013.00000002.490307408.0000000006990000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000013.00000002.489013213.0000000005660000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000013.00000002.489013213.0000000005660000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000013.00000002.489410894.0000000005AB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000013.00000002.489410894.0000000005AB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000013.00000002.490092332.0000000006860000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000013.00000002.490092332.0000000006860000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d05:$x1: NanoCore.ClientPluginHost 0x10d42:$x2: IClientNetworkHost 0x14875:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10a6d:$a: NanoCore 0x10a7d:$a: NanoCore 0x10cb1:$a: NanoCore 0x10cc5:$a: NanoCore 0x10d05:$a: NanoCore 0x10acc:$b: ClientPlugin 0x10cce:$b: ClientPlugin 0x10d0e:$b: ClientPlugin 0x10bf3:$c: ProjectData 0x115fa:$d: DESCrypto 0x18fc6:$e: KeepAlive 0x16fb4:$g: LogClientMessage 0x131af:$i: get_Connected 0x11930:$j: #=q 0x11960:$j: #=q 0x1197c:$j: #=q 0x119ac:$j: #=q 0x119c8:$j: #=q 0x119e4:$j: #=q 0x11a14:$j: #=q 0x11a30:$j: #=q
00000013.00000002.490925199.0000000006C90000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000013.00000002.490925199.0000000006C90000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2cdfb:$a: NanoCore 0x2ce54:$a: NanoCore 0x2ce91:$a: NanoCore 0x2cf0a:$a: NanoCore 0x359ee:$a: NanoCore 0x35a13:$a: NanoCore 0x35a6c:$a: NanoCore 0x45c1f:$a: NanoCore 0x45c45:$a: NanoCore 0x45ca1:$a: NanoCore 0x52b07:$a: NanoCore 0x52b60:$a: NanoCore 0x52b93:$a: NanoCore 0x52dbf:$a: NanoCore 0x52e3b:$a: NanoCore 0x53454:$a: NanoCore 0x5359d:$a: NanoCore 0x53a71:$a: NanoCore 0x53d58:$a: NanoCore 0x53d6f:$a: NanoCore 0x5cc1f:$a: NanoCore
00000013.00000002.489888733.00000000065C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000013.00000002.489888733.00000000065C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000013.00000002.490328155.00000000069A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000013.00000002.490328155.00000000069A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3bda65:$x1: NanoCore.ClientPluginHost 0x3bdaa2:$x2: IClientNetworkHost 0x3c15d5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3bd7cd:$a: NanoCore 0x3bd7dd:$a: NanoCore 0x3bda11:$a: NanoCore 0x3bda25:$a: NanoCore 0x3bda65:$a: NanoCore 0x3bd82c:$b: ClientPlugin 0x3bda2e:$b: ClientPlugin 0x3bda6e:$b: ClientPlugin 0x3bd953:$c: ProjectData 0x3be35a:$d: DESCrypto 0x3c5d26:$e: KeepAlive 0x3c3d14:$g: LogClientMessage 0x3bff0f:$i: get_Connected 0x3be690:$j: #=q 0x3be6c0:$j: #=q 0x3be6dc:$j: #=q 0x3be70c:$j: #=q 0x3be728:$j: #=q 0x3be744:$j: #=q 0x3be774:$j: #=q 0x3be790:$j: #=q
00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000013.00000002.487426729.0000000004169000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.487426729.0000000004169000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9c35:$a: NanoCore 0x9c8e:$a: NanoCore 0x9ccb:$a: NanoCore 0x9d44:$a: NanoCore 0x12818:$a: NanoCore 0x1283d:$a: NanoCore 0x12896:$a: NanoCore 0x22a33:$a: NanoCore 0x22a59:$a: NanoCore 0x22ab5:$a: NanoCore 0x2f90a:$a: NanoCore 0x2f963:$a: NanoCore 0x2f996:$a: NanoCore 0x2fbc2:$a: NanoCore 0x2fc3e:$a: NanoCore 0x30257:$a: NanoCore 0x303a0:$a: NanoCore 0x30874:$a: NanoCore 0x30b5b:$a: NanoCore 0x30b72:$a: NanoCore 0x39a14:$a: NanoCore
00000013.00000002.490998411.0000000006E10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000013.00000002.490998411.0000000006E10000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
Process Memory Space: xtxr8lHa5F.exe PID: 5352	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x14d54a:$x1: NanoCore.ClientPluginHost 0x14d5ab:$x2: IClientNetworkHost 0x1529b0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x160922:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: xtxr8lHa5F.exe PID: 5352	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: xtxr8lHa5F.exe PID: 5352	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: xtxr8lHa5F.exe PID: 5352	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14d04f:$a: NanoCore 0x14d06b:$a: NanoCore 0x14d1c6:$a: NanoCore 0x14d1d5:$a: NanoCore 0x14d4ae:$a: NanoCore 0x14d4da:$a: NanoCore 0x14d54a:$a: NanoCore 0x15cf8c:$a: NanoCore 0x15cf9e:$a: NanoCore 0x15cfda:$a: NanoCore 0x14d0f6:$b: ClientPlugin 0x14d21f:$b: ClientPlugin 0x14d4e3:$b: ClientPlugin 0x14d553:$b: ClientPlugin 0x15cfa7:$b: ClientPlugin 0x15cfe3:$b: ClientPlugin 0x14d36c:$c: ProjectData 0x15ced9:$c: ProjectData 0x4b930e:$c: ProjectData 0x4ba259:$c: ProjectData 0x14e4a8:$d: DESCrypto
Process Memory Space: MSBuild.exe PID: 5268	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2855:$x1: NanoCore.ClientPluginHost 0x7587:$x1: NanoCore.ClientPluginHost 0x3422c:$x1: NanoCore.ClientPluginHost 0x6178f:$x1: NanoCore.ClientPluginHost 0x68c9c:$x1: NanoCore.ClientPluginHost 0xcdabe:$x1: NanoCore.ClientPluginHost 0x105f13:$x1: NanoCore.ClientPluginHost 0x12510f:$x1: NanoCore.ClientPluginHost 0x18824e:$x1: NanoCore.ClientPluginHost 0x18b01b:$x1: NanoCore.ClientPluginHost 0x195937:$x1: NanoCore.ClientPluginHost 0x1a84b3:$x1: NanoCore.ClientPluginHost 0x1ab503:$x1: NanoCore.ClientPluginHost 0x1b08b7:$x1: NanoCore.ClientPluginHost 0x1b3d0d:$x1: NanoCore.ClientPluginHost 0x1b68f8:$x1: NanoCore.ClientPluginHost 0x1bda9d:$x1: NanoCore.ClientPluginHost 0x1c28f8:$x1: NanoCore.ClientPluginHost 0x1cf0d2:$x1: NanoCore.ClientPluginHost 0x1d621b:$x1: NanoCore.ClientPluginHost 0x20f01c:$x1: NanoCore.ClientPluginHost
Process Memory Space: MSBuild.exe PID: 5268	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 5268	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x138f:$a: NanoCore 0x247c:$a: NanoCore 0x2855:$a: NanoCore 0x7587:$a: NanoCore 0x7725:$a: NanoCore 0x90df:$a: NanoCore 0xacfc:$a: NanoCore 0xadd7:$a: NanoCore 0xbb49:$a: NanoCore 0x341a6:$a: NanoCore 0x341d3:$a: NanoCore 0x3422c:$a: NanoCore 0x3ba3b:$a: NanoCore 0x3ba4e:$a: NanoCore 0x3ba80:$a: NanoCore 0x6174e:$a: NanoCore 0x6178f:$a: NanoCore 0x64be4:$a: NanoCore 0x64c0b:$a: NanoCore 0x68c9c:$a: NanoCore 0x68d78:$a: NanoCore
Click to see the 49 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.MSBuild.exe.6a00000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
19.2.MSBuild.exe.6a00000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
19.2.MSBuild.exe.6990000.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
19.2.MSBuild.exe.6990000.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
19.2.MSBuild.exe.69a0000.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
19.2.MSBuild.exe.69a0000.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
19.2.MSBuild.exe.6970000.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
19.2.MSBuild.exe.6970000.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
19.2.MSBuild.exe.6c9e8a4.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
19.2.MSBuild.exe.6c9e8a4.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
19.2.MSBuild.exe.6c90000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
19.2.MSBuild.exe.6c90000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
19.2.MSBuild.exe.6a10000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
19.2.MSBuild.exe.6a10000.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
19.2.MSBuild.exe.6a10000.21.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.MSBuild.exe.69c0000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
19.2.MSBuild.exe.69c0000.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
19.2.MSBuild.exe.6a10000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
19.2.MSBuild.exe.6a10000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
19.2.MSBuild.exe.6a10000.21.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.MSBuild.exe.6a14629.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
19.2.MSBuild.exe.6a14629.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
19.2.MSBuild.exe.6a14629.20.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.MSBuild.exe.6c90000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
19.2.MSBuild.exe.6c90000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
19.0.MSBuild.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.0.MSBuild.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.0.MSBuild.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.0.MSBuild.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
19.2.MSBuild.exe.6c94c9f.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
19.2.MSBuild.exe.6c94c9f.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
19.2.MSBuild.exe.4182eb4.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
19.2.MSBuild.exe.4182eb4.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
19.2.MSBuild.exe.5660000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
19.2.MSBuild.exe.5660000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
19.2.MSBuild.exe.6e10000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
19.2.MSBuild.exe.6e10000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
0.2.xtxr8lHa5F.exe.47d1b78.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.xtxr8lHa5F.exe.47d1b78.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.xtxr8lHa5F.exe.47d1b78.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.xtxr8lHa5F.exe.47d1b78.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
19.2.MSBuild.exe.4176c82.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
19.2.MSBuild.exe.4176c82.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
19.2.MSBuild.exe.69c0000.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
19.2.MSBuild.exe.69c0000.16.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
19.2.MSBuild.exe.69e0000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
19.2.MSBuild.exe.69e0000.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
19.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.MSBuild.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
19.2.MSBuild.exe.65c0000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
19.2.MSBuild.exe.65c0000.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
19.2.MSBuild.exe.6a00000.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
19.2.MSBuild.exe.6a00000.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
19.2.MSBuild.exe.6990000.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
19.2.MSBuild.exe.6990000.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
19.2.MSBuild.exe.5ab0000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
19.2.MSBuild.exe.5ab0000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
19.2.MSBuild.exe.5ab0000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
19.2.MSBuild.exe.5ab0000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
19.2.MSBuild.exe.65c0000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
19.2.MSBuild.exe.65c0000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
19.2.MSBuild.exe.6e10000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
19.2.MSBuild.exe.6e10000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
19.0.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.0.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.0.MSBuild.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.0.MSBuild.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
19.2.MSBuild.exe.69f0000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
19.2.MSBuild.exe.69f0000.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
19.2.MSBuild.exe.6860000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
19.2.MSBuild.exe.6860000.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
19.2.MSBuild.exe.69f0000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
19.2.MSBuild.exe.69f0000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
19.2.MSBuild.exe.3051e58.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
19.2.MSBuild.exe.3051e58.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
19.2.MSBuild.exe.305e0a0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
19.2.MSBuild.exe.305e0a0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
19.2.MSBuild.exe.69e0000.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
19.2.MSBuild.exe.69e0000.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
19.2.MSBuild.exe.6970000.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
19.2.MSBuild.exe.6970000.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
19.2.MSBuild.exe.304d01c.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x99f7:$x1: NanoCore.ClientPluginHost 0x19c29:$x1: NanoCore.ClientPluginHost 0x26da3:$x1: NanoCore.ClientPluginHost 0x30c03:$x1: NanoCore.ClientPluginHost 0x38b39:$x1: NanoCore.ClientPluginHost 0x3eb1c:$x1: NanoCore.ClientPluginHost 0x48597:$x1: NanoCore.ClientPluginHost 0x529d3:$x1: NanoCore.ClientPluginHost 0x5d9c5:$x1: NanoCore.ClientPluginHost 0x6977b:$x1: NanoCore.ClientPluginHost 0x7550a:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x9a21:$x2: IClientNetworkHost 0x19c56:$x2: IClientNetworkHost 0x26ddc:$x2: IClientNetworkHost 0x30c3c:$x2: IClientNetworkHost 0x38b72:$x2: IClientNetworkHost 0x486f4:$x2: IClientNetworkHost 0x52a0c:$x2: IClientNetworkHost 0x5d9df:$x2: IClientNetworkHost
19.2.MSBuild.exe.304d01c.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x99d2:$a: NanoCore 0x99f7:$a: NanoCore 0x9a50:$a: NanoCore 0x19c03:$a: NanoCore 0x19c29:$a: NanoCore 0x19c85:$a: NanoCore 0x26aeb:$a: NanoCore 0x26b44:$a: NanoCore 0x26b77:$a: NanoCore 0x26da3:$a: NanoCore 0x26e1f:$a: NanoCore 0x27438:$a: NanoCore 0x27581:$a: NanoCore 0x27a55:$a: NanoCore 0x27d3c:$a: NanoCore 0x27d53:$a: NanoCore 0x30c03:$a: NanoCore
19.2.MSBuild.exe.4171e56.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.MSBuild.exe.4171e56.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x99c2:$a: NanoCore 0x99e7:$a: NanoCore 0x9a40:$a: NanoCore 0x19bdd:$a: NanoCore 0x19c03:$a: NanoCore 0x19c5f:$a: NanoCore 0x26ab4:$a: NanoCore 0x26b0d:$a: NanoCore 0x26b40:$a: NanoCore 0x26d6c:$a: NanoCore 0x26de8:$a: NanoCore 0x27401:$a: NanoCore 0x2754a:$a: NanoCore 0x27a1e:$a: NanoCore 0x27d05:$a: NanoCore 0x27d1c:$a: NanoCore 0x30bbe:$a: NanoCore
19.2.MSBuild.exe.305e0a0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d1f:$x1: NanoCore.ClientPluginHost 0x1fb7f:$x1: NanoCore.ClientPluginHost 0x27ab5:$x1: NanoCore.ClientPluginHost 0x2da98:$x1: NanoCore.ClientPluginHost 0x37513:$x1: NanoCore.ClientPluginHost 0x4194f:$x1: NanoCore.ClientPluginHost 0x4c941:$x1: NanoCore.ClientPluginHost 0x586f7:$x1: NanoCore.ClientPluginHost 0x64486:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d58:$x2: IClientNetworkHost 0x1fbb8:$x2: IClientNetworkHost 0x27aee:$x2: IClientNetworkHost 0x37670:$x2: IClientNetworkHost 0x41988:$x2: IClientNetworkHost 0x4c95b:$x2: IClientNetworkHost 0x58711:$x2: IClientNetworkHost 0x644c3:$x2: IClientNetworkHost
19.2.MSBuild.exe.305e0a0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a67:$a: NanoCore 0x15ac0:$a: NanoCore 0x15af3:$a: NanoCore 0x15d1f:$a: NanoCore 0x15d9b:$a: NanoCore 0x163b4:$a: NanoCore 0x164fd:$a: NanoCore 0x169d1:$a: NanoCore 0x16cb8:$a: NanoCore 0x16ccf:$a: NanoCore 0x1fb7f:$a: NanoCore 0x1fbfb:$a: NanoCore 0x224de:$a: NanoCore 0x27ab5:$a: NanoCore 0x27b2f:$a: NanoCore 0x2da98:$a: NanoCore 0x2dae2:$a: NanoCore 0x2e73c:$a: NanoCore
19.2.MSBuild.exe.3051e58.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14ded:$x1: NanoCore.ClientPluginHost 0x21f67:$x1: NanoCore.ClientPluginHost 0x2bdc7:$x1: NanoCore.ClientPluginHost 0x33cfd:$x1: NanoCore.ClientPluginHost 0x39ce0:$x1: NanoCore.ClientPluginHost 0x4375b:$x1: NanoCore.ClientPluginHost 0x4db97:$x1: NanoCore.ClientPluginHost 0x58b89:$x1: NanoCore.ClientPluginHost 0x6493f:$x1: NanoCore.ClientPluginHost 0x706ce:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e1a:$x2: IClientNetworkHost 0x21fa0:$x2: IClientNetworkHost 0x2be00:$x2: IClientNetworkHost 0x33d36:$x2: IClientNetworkHost 0x438b8:$x2: IClientNetworkHost 0x4dbd0:$x2: IClientNetworkHost 0x58ba3:$x2: IClientNetworkHost 0x64959:$x2: IClientNetworkHost 0x7070b:$x2: IClientNetworkHost
19.2.MSBuild.exe.3051e58.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dc7:$a: NanoCore 0x14ded:$a: NanoCore 0x14e49:$a: NanoCore 0x21caf:$a: NanoCore 0x21d08:$a: NanoCore 0x21d3b:$a: NanoCore 0x21f67:$a: NanoCore 0x21fe3:$a: NanoCore 0x225fc:$a: NanoCore 0x22745:$a: NanoCore 0x22c19:$a: NanoCore 0x22f00:$a: NanoCore 0x22f17:$a: NanoCore 0x2bdc7:$a: NanoCore 0x2be43:$a: NanoCore 0x2e726:$a: NanoCore 0x33cfd:$a: NanoCore 0x33d77:$a: NanoCore
19.2.MSBuild.exe.4182eb4.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d0e:$x1: NanoCore.ClientPluginHost 0x1fb60:$x1: NanoCore.ClientPluginHost 0x27a86:$x1: NanoCore.ClientPluginHost 0x2da57:$x1: NanoCore.ClientPluginHost 0x374c3:$x1: NanoCore.ClientPluginHost 0x418ee:$x1: NanoCore.ClientPluginHost 0x4c8cb:$x1: NanoCore.ClientPluginHost 0x5866d:$x1: NanoCore.ClientPluginHost 0x6db45:$x1: NanoCore.ClientPluginHost 0x95da7:$x1: NanoCore.ClientPluginHost 0xa51e7:$x1: NanoCore.ClientPluginHost 0xbd579:$x1: NanoCore.ClientPluginHost 0xe57c7:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d47:$x2: IClientNetworkHost 0x1fb99:$x2: IClientNetworkHost 0x27abf:$x2: IClientNetworkHost 0x37620:$x2: IClientNetworkHost 0x41927:$x2: IClientNetworkHost 0x4c8e5:$x2: IClientNetworkHost
19.2.MSBuild.exe.4182eb4.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.MSBuild.exe.4182eb4.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1fb60:$a: NanoCore 0x1fbdc:$a: NanoCore 0x224bf:$a: NanoCore 0x27a86:$a: NanoCore 0x27b00:$a: NanoCore 0x2c69d:$a: NanoCore 0x2da57:$a: NanoCore 0x2daa1:$a: NanoCore
19.2.MSBuild.exe.4176c82.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.MSBuild.exe.4176c82.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db1:$a: NanoCore 0x14dd7:$a: NanoCore 0x14e33:$a: NanoCore 0x21c88:$a: NanoCore 0x21ce1:$a: NanoCore 0x21d14:$a: NanoCore 0x21f40:$a: NanoCore 0x21fbc:$a: NanoCore 0x225d5:$a: NanoCore 0x2271e:$a: NanoCore 0x22bf2:$a: NanoCore 0x22ed9:$a: NanoCore 0x22ef0:$a: NanoCore 0x2bd92:$a: NanoCore 0x2be0e:$a: NanoCore 0x2e6f1:$a: NanoCore 0x33cb8:$a: NanoCore 0x33d32:$a: NanoCore
0.2.xtxr8lHa5F.exe.47d1b78.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.xtxr8lHa5F.exe.47d1b78.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.xtxr8lHa5F.exe.47d1b78.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 94 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5268, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 19.2.MSBuild.exe.4182eb4.6.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ab394965-c5ce-4154-ad1c-da01ecc2", "Group": "Mamie", "Domain1": "82.64.141.173", "Domain2": "82.64.141.173", "Port": 6666, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\rOKWrJ.exe	Metadefender: Detection: 34%			Perma Link
Source: C:\Users\user\AppData\Roaming\rOKWrJ.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Show sources

Source: xtxr8lHa5F.exe	Virustotal: Detection: 50%	Perma Link
Source: xtxr8lHa5F.exe	Metadefender: Detection: 34%	Perma Link
Source: xtxr8lHa5F.exe	ReversingLabs: Detection: 65%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.487426729.0000000004169000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xtxr8lHa5F.exe PID: 5352, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5268, type: MEMORY
Source: Yara match	File source: 19.2.MSBuild.exe.6a10000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.6a10000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.6a14629.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xtxr8lHa5F.exe.47d1b78.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.4171e56.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.4182eb4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.4176c82.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xtxr8lHa5F.exe.47d1b78.4.raw.unpack, type: UNPACKEDPE

Source: 19.2.MSBuild.exe.6a10000.21.unpack	Avira: Label: TR/NanoCore.fadte
Source: 19.0.MSBuild.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 19.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 19.0.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: xtxr8lHa5F.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: xtxr8lHa5F.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: mscorlib.pdb source: MSBuild.exe, 00000013.00000002.481813725.0000000001373000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\fcghDRQpfO\src\obj\Debug\PH8v.pdbh source: xtxr8lHa5F.exe
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.19.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000013.00000002.481813725.0000000001373000.00000004.00000020.sdmp, dhcpmon.exe, 0000001A.00000002.312274650.0000000000602000.00000002.00020000.sdmp, dhcpmon.exe, 0000001D.00000002.326402171.00000000001E2000.00000002.00020000.sdmp, dhcpmon.exe.19.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000013.00000002.490432497.00000000069E0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000013.00000002.490307408.0000000006990000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\fcghDRQpfO\src\obj\Debug\PH8v.pdb source: xtxr8lHa5F.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49728 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49729 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49732 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49739 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 82.64.141.173:6666
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 82.64.141.173:6666

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: 82.64.141.173

Source: global traffic

TCP traffic: 192.168.2.3:49728 -> 82.64.141.173:6666

Source: Joe Sandbox View

ASN Name: PROXADFR PROXADFR

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.21.219
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 84.53.167.113
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.179.193
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.179.193
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.179.193
Source: unknown	TCP traffic detected without corresponding DNS query: 84.53.167.113
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173
Source: unknown	TCP traffic detected without corresponding DNS query: 82.64.141.173

Source: xtxr8lHa5F.exe, 00000000.00000003.215069252.0000000005DA6000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: xtxr8lHa5F.exe, 00000000.00000003.211876617.0000000005DBB000.00000004.00000001.sdmp, xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: xtxr8lHa5F.exe, 00000000.00000003.211876617.0000000005DBB000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.comH
Source: MSBuild.exe, 00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: xtxr8lHa5F.exe, 00000000.00000003.214659761.0000000005DB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: xtxr8lHa5F.exe, 00000000.00000003.218605869.0000000005DD5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers$M4n
Source: xtxr8lHa5F.exe, 00000000.00000003.218605869.0000000005DD5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: xtxr8lHa5F.exe, 00000000.00000003.219470787.0000000005DD5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersW
Source: xtxr8lHa5F.exe, 00000000.00000003.218866529.0000000005DD5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers
Source: xtxr8lHa5F.exe, 00000000.00000003.224743088.0000000005DDD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersiva$M4n
Source: xtxr8lHa5F.exe, 00000000.00000003.224801303.0000000005DDD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerswMin(
Source: xtxr8lHa5F.exe, 00000000.00000002.296418748.0000000001050000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comceva
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: xtxr8lHa5F.exe, 00000000.00000003.213412323.0000000005DDD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: xtxr8lHa5F.exe, 00000000.00000003.213056039.0000000005DA6000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr-e
Source: xtxr8lHa5F.exe, 00000000.00000003.213056039.0000000005DA6000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr3
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: xtxr8lHa5F.exe, 00000000.00000003.213112990.0000000005DDD000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: xtxr8lHa5F.exe, 00000000.00000003.213056039.0000000005DA6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krLn
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: xtxr8lHa5F.exe, 00000000.00000003.212501401.0000000005DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com)
Source: xtxr8lHa5F.exe, 00000000.00000003.212501401.0000000005DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comy
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: xtxr8lHa5F.exe, 00000000.00000003.214926823.0000000005DAD000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyict.coJJl
Source: xtxr8lHa5F.exe, 00000000.00000003.214926823.0000000005DAD000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49678
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49680
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443

Source: MSBuild.exe, 00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.487426729.0000000004169000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xtxr8lHa5F.exe PID: 5352, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5268, type: MEMORY
Source: Yara match	File source: 19.2.MSBuild.exe.6a10000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.6a10000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.6a14629.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xtxr8lHa5F.exe.47d1b78.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.4171e56.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.4182eb4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.4176c82.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xtxr8lHa5F.exe.47d1b78.4.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.490523889.0000000006A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.490241521.0000000006970000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.490432497.00000000069E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.490460540.00000000069F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.490307408.0000000006990000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.489013213.0000000005660000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.489410894.0000000005AB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.490092332.0000000006860000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.490925199.0000000006C90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.489888733.00000000065C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.490328155.00000000069A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.487426729.0000000004169000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.490998411.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: xtxr8lHa5F.exe PID: 5352, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: xtxr8lHa5F.exe PID: 5352, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 5268, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 5268, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.6a00000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6990000.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.69a0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6970000.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6c9e8a4.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6c90000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6a10000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.69c0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6a10000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6a14629.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6c90000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.6c94c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.4182eb4.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.5660000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6e10000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.xtxr8lHa5F.exe.47d1b78.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.xtxr8lHa5F.exe.47d1b78.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.4176c82.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.69c0000.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.69e0000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.65c0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6a00000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6990000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.5ab0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.5ab0000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.65c0000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6e10000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.69f0000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6860000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.69f0000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.3051e58.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.305e0a0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.69e0000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.6970000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.304d01c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.304d01c.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.4171e56.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.305e0a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.305e0a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.3051e58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.3051e58.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.4182eb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.4182eb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.4176c82.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.xtxr8lHa5F.exe.47d1b78.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.xtxr8lHa5F.exe.47d1b78.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Code function: 0_2_005C7970
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Code function: 0_2_0284ACE8
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Code function: 0_2_0284BD3F
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Code function: 0_2_0504BBD8
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Code function: 0_2_050423EC
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Code function: 0_2_005C24F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_015DE471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_015DE480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_015DBBD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_055BF5F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_055B9788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_055B3550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_055BA5E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_055BA602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_071F2450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_071FEC81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_071F1120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_071FA950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_071FA080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_071F250E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_071F9D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_073D0FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 24_2_00D12148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 24_2_00D15D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 24_2_00D14A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 24_2_00D11A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 24_2_00D12133
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_02875858
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_02874580
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_02872148
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_02871A40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 26_2_02872133
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 29_2_00AD4F28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 29_2_00AD2370
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 29_2_00AD1A2F

Source: dhcpmon.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: xtxr8lHa5F.exe	Binary or memory string: OriginalFilename vs xtxr8lHa5F.exe
Source: xtxr8lHa5F.exe, 00000000.00000002.300992790.0000000004A40000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs xtxr8lHa5F.exe
Source: xtxr8lHa5F.exe, 00000000.00000002.300992790.0000000004A40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs xtxr8lHa5F.exe
Source: xtxr8lHa5F.exe, 00000000.00000002.309069264.000000000BF70000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs xtxr8lHa5F.exe
Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWindowsNetwork.dll> vs xtxr8lHa5F.exe
Source: xtxr8lHa5F.exe, 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePH8v.exeD vs xtxr8lHa5F.exe
Source: xtxr8lHa5F.exe, 00000000.00000002.305737301.0000000009050000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs xtxr8lHa5F.exe
Source: xtxr8lHa5F.exe, 00000000.00000002.307039746.00000000096A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs xtxr8lHa5F.exe
Source: xtxr8lHa5F.exe	Binary or memory string: OriginalFilenamePH8v.exeD vs xtxr8lHa5F.exe

Source: xtxr8lHa5F.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.490523889.0000000006A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.490523889.0000000006A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.490241521.0000000006970000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.490241521.0000000006970000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.490432497.00000000069E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.490432497.00000000069E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.490460540.00000000069F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.490460540.00000000069F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.490307408.0000000006990000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.490307408.0000000006990000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.489013213.0000000005660000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.489013213.0000000005660000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.489410894.0000000005AB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.489410894.0000000005AB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.490092332.0000000006860000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.490092332.0000000006860000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.490925199.0000000006C90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.490925199.0000000006C90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.489888733.00000000065C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.489888733.00000000065C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.490328155.00000000069A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.490328155.00000000069A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.487426729.0000000004169000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.490998411.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.490998411.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: xtxr8lHa5F.exe PID: 5352, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: xtxr8lHa5F.exe PID: 5352, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 5268, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 5268, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.MSBuild.exe.6a00000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6a00000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6990000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6990000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.69a0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.69a0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6970000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6970000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6c9e8a4.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6c9e8a4.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6c90000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6c90000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6a10000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6a10000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.69c0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.69c0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6a10000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6a10000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6a14629.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6a14629.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6c90000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6c90000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.MSBuild.exe.6c94c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6c94c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.4182eb4.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.4182eb4.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.5660000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.5660000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6e10000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6e10000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.xtxr8lHa5F.exe.47d1b78.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.xtxr8lHa5F.exe.47d1b78.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.xtxr8lHa5F.exe.47d1b78.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.MSBuild.exe.4176c82.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.4176c82.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.69c0000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.69c0000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.69e0000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.69e0000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.MSBuild.exe.65c0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.65c0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6a00000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6a00000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6990000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6990000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.5ab0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.5ab0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.5ab0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.5ab0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.65c0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.65c0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6e10000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6e10000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.MSBuild.exe.69f0000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.69f0000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6860000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6860000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.69f0000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.69f0000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.3051e58.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.3051e58.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.305e0a0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.305e0a0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.69e0000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.69e0000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.6970000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.6970000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.MSBuild.exe.304d01c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.304d01c.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.MSBuild.exe.4171e56.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.MSBuild.exe.305e0a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.305e0a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.MSBuild.exe.3051e58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.3051e58.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.MSBuild.exe.4182eb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.MSBuild.exe.4182eb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.MSBuild.exe.4176c82.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.xtxr8lHa5F.exe.47d1b78.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.xtxr8lHa5F.exe.47d1b78.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: xtxr8lHa5F.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: rOKWrJ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: xtxr8lHa5F.exe, FBWintask/FBWintask.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: rOKWrJ.exe.0.dr, FBWintask/FBWintask.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.xtxr8lHa5F.exe.5c0000.0.unpack, FBWintask/FBWintask.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.xtxr8lHa5F.exe.5c0000.0.unpack, FBWintask/FBWintask.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.0.MSBuild.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 19.0.MSBuild.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 19.0.MSBuild.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: xtxr8lHa5F.exe, FBWintask/ImageCache.cs	Task registration methods: 'GetOrCreateContainer'
Source: xtxr8lHa5F.exe, FBWintask/ImageCacheWorker.cs	Task registration methods: 'GetOrCreateContainer'
Source: xtxr8lHa5F.exe, FBWintask/FileIO.cs	Task registration methods: 'CreateFile', 'ILCreateFromPathW'
Source: rOKWrJ.exe.0.dr, FBWintask/ImageCacheWorker.cs	Task registration methods: 'GetOrCreateContainer'
Source: rOKWrJ.exe.0.dr, FBWintask/ImageCache.cs	Task registration methods: 'GetOrCreateContainer'
Source: rOKWrJ.exe.0.dr, FBWintask/FileIO.cs	Task registration methods: 'CreateFile', 'ILCreateFromPathW'
Source: 0.2.xtxr8lHa5F.exe.5c0000.0.unpack, FBWintask/ImageCacheWorker.cs	Task registration methods: 'GetOrCreateContainer'
Source: 0.2.xtxr8lHa5F.exe.5c0000.0.unpack, FBWintask/ImageCache.cs	Task registration methods: 'GetOrCreateContainer'
Source: 0.2.xtxr8lHa5F.exe.5c0000.0.unpack, FBWintask/FileIO.cs	Task registration methods: 'CreateFile', 'ILCreateFromPathW'

Source: 26.2.dhcpmon.exe.600000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 26.2.dhcpmon.exe.600000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.0.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.0.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.0.dhcpmon.exe.600000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 26.0.dhcpmon.exe.600000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
Source: 26.0.dhcpmon.exe.600000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 26.0.dhcpmon.exe.600000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 26.0.dhcpmon.exe.600000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.19.dr, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.19.dr, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.2.dhcpmon.exe.600000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 26.2.dhcpmon.exe.600000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
Source: 26.2.dhcpmon.exe.600000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: dhcpmon.exe.19.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.19.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
Source: dhcpmon.exe.19.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 19.0.MSBuild.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.0.MSBuild.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: dhcpmon.exe, 0000001D.00000002.327268598.00000000027E1000.00000004.00000001.sdmp	Binary or memory string: l)C:\Program Files (x86)\DHCP Monitor\*.sln
Source: MSBuild.exe, 00000013.00000002.481813725.0000000001373000.00000004.00000020.sdmp, dhcpmon.exe, 0000001A.00000002.312274650.0000000000602000.00000002.00020000.sdmp, dhcpmon.exe, 0000001D.00000002.326402171.00000000001E2000.00000002.00020000.sdmp, dhcpmon.exe.19.dr	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: dhcpmon.exe, 0000001A.00000002.312274650.0000000000602000.00000002.00020000.sdmp, dhcpmon.exe, 0000001D.00000002.326402171.00000000001E2000.00000002.00020000.sdmp, dhcpmon.exe.19.dr	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: dhcpmon.exe, dhcpmon.exe.19.dr	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: dhcpmon.exe, 0000001D.00000002.327268598.00000000027E1000.00000004.00000001.sdmp	Binary or memory string: *.slnP#
Source: MSBuild.exe, 00000013.00000002.481813725.0000000001373000.00000004.00000020.sdmp, dhcpmon.exe, 0000001A.00000002.312274650.0000000000602000.00000002.00020000.sdmp, dhcpmon.exe, 0000001D.00000002.326402171.00000000001E2000.00000002.00020000.sdmp, dhcpmon.exe.19.dr	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
Source: dhcpmon.exe, dhcpmon.exe.19.dr	Binary or memory string: *.sln
Source: dhcpmon.exe, 0000001D.00000002.326870132.00000000008F1000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files (x86)\DHCP Monitor\<.sln
Source: dhcpmon.exe, 0000001A.00000002.312274650.0000000000602000.00000002.00020000.sdmp, dhcpmon.exe, 0000001D.00000002.326402171.00000000001E2000.00000002.00020000.sdmp, dhcpmon.exe.19.dr	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: dhcpmon.exe, 0000001A.00000002.312274650.0000000000602000.00000002.00020000.sdmp, dhcpmon.exe, 0000001D.00000002.326402171.00000000001E2000.00000002.00020000.sdmp, dhcpmon.exe.19.dr	Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 00000013.00000002.481813725.0000000001373000.00000004.00000020.sdmp, dhcpmon.exe, 0000001A.00000002.312274650.0000000000602000.00000002.00020000.sdmp, dhcpmon.exe, 0000001D.00000002.326402171.00000000001E2000.00000002.00020000.sdmp, dhcpmon.exe.19.dr	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/14@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe

File created: C:\Users\user\AppData\Roaming\rOKWrJ.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:996:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ab394965-c5ce-4154-ad1c-da01ecc2f391}
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Mutant created: \Sessions\1\BaseNamedObjects\UnHYVxJdUT
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3016:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_01

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe

File created: C:\Users\user\AppData\Local\Temp\tmp76E9.tmp

Jump to behavior

Source: xtxr8lHa5F.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: xtxr8lHa5F.exe	Virustotal: Detection: 50%
Source: xtxr8lHa5F.exe	Metadefender: Detection: 34%
Source: xtxr8lHa5F.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe

File read: C:\Users\user\Desktop\xtxr8lHa5F.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xtxr8lHa5F.exe 'C:\Users\user\Desktop\xtxr8lHa5F.exe'
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rOKWrJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp76E9.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp604E.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6502.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rOKWrJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp76E9.tmp'
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp604E.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6502.tmp'

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: xtxr8lHa5F.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: xtxr8lHa5F.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: xtxr8lHa5F.exe

Static file information: File size 1245184 > 1048576

Source: xtxr8lHa5F.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x12be00

Source: xtxr8lHa5F.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: xtxr8lHa5F.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mscorlib.pdb source: MSBuild.exe, 00000013.00000002.481813725.0000000001373000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\fcghDRQpfO\src\obj\Debug\PH8v.pdbh source: xtxr8lHa5F.exe
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.19.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000013.00000002.481813725.0000000001373000.00000004.00000020.sdmp, dhcpmon.exe, 0000001A.00000002.312274650.0000000000602000.00000002.00020000.sdmp, dhcpmon.exe, 0000001D.00000002.326402171.00000000001E2000.00000002.00020000.sdmp, dhcpmon.exe.19.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000013.00000002.490432497.00000000069E0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000013.00000002.490307408.0000000006990000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\fcghDRQpfO\src\obj\Debug\PH8v.pdb source: xtxr8lHa5F.exe

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: xtxr8lHa5F.exe, FBWintask/FBWintask.cs	.Net Code: XXXXXXXXXXXXXXXXXXXXX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: rOKWrJ.exe.0.dr, FBWintask/FBWintask.cs	.Net Code: XXXXXXXXXXXXXXXXXXXXX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.xtxr8lHa5F.exe.5c0000.0.unpack, FBWintask/FBWintask.cs	.Net Code: XXXXXXXXXXXXXXXXXXXXX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.xtxr8lHa5F.exe.5c0000.0.unpack, FBWintask/FBWintask.cs	.Net Code: XXXXXXXXXXXXXXXXXXXXX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.MSBuild.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.MSBuild.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_06981338 push es; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_055BB5E0 push eax; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_055B69FA push esp; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_055B69F8 pushad ; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_071FE120 pushad ; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_071F09C0 push es; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_071F09E2 push es; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 19_2_071FF850 push esp; iretd

Source: initial sample	Static PE information: section name: .text entropy: 7.95223164837
Source: initial sample	Static PE information: section name: .text entropy: 7.95223164837

Source: 19.0.MSBuild.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 19.0.MSBuild.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 19.0.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.0.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	File created: C:\Users\user\AppData\Roaming\rOKWrJ.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rOKWrJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp76E9.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match

File source: Process Memory Space: xtxr8lHa5F.exe PID: 5352, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239875
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239750
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239641
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239531
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239422
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239313
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239188
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239047
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238891
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238781
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238672
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238547
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238438
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238297
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238141
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237969
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237859
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237750
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237641
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237531
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237391
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237250
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237125
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237016
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 236891
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 236781
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 236641
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 236500
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 236297
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 236094
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235953
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235844
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235719
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235609
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235484
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235375
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235250
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235141
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235016
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234906
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234797
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234672
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234547
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234438
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234313
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234188
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234063
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 233938
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 233781
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 233547
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 233297
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 233141
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 233031
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232906
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232766
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232656
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232531
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232406
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232297
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232188
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232047
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231922
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231813
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231641
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231500
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231391
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231250
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231141
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231000
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230890
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230781
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230656
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230547
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230438
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230328
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230219
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230094
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 229984
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 229875
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 229766
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 229656
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 229547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Window / User API: threadDelayed 2457
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Window / User API: threadDelayed 5278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 6415
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: foregroundWindowGot 542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: foregroundWindowGot 618

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -239875s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -239750s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -239641s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -239531s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -239422s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -239313s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -239188s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -239047s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -238891s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -238781s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -238672s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -238547s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -238438s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -238297s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -238141s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -237969s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -237859s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -237750s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -237641s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -237531s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -237391s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -237250s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -237125s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -237016s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -236891s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -236781s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -236641s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -236500s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -236297s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -236094s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -235953s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -235844s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -235719s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -235609s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -235484s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -235375s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -235250s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -235141s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -235016s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -234906s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -234797s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -234672s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -234547s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -234438s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -234313s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -234188s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -234063s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -233938s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -233781s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -233547s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -233297s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -233141s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -233031s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -232906s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -232766s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -232656s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -232531s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -232406s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -232297s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -232188s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -232047s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -231922s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -231813s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -231641s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -231500s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -231391s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -231250s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -231141s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -231000s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -230890s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -230781s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -230656s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -230547s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -230438s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -230328s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -230219s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -230094s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -229984s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -229875s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -229766s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -229656s >= -30000s
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe TID: 2996	Thread sleep time: -229547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 400	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5340	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2592	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239875
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239750
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239641
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239531
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239422
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239313
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239188
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 239047
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238891
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238781
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238672
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238547
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238438
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238297
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 238141
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237969
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237859
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237750
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237641
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237531
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237391
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237250
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237125
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 237016
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 236891
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 236781
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 236641
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 236500
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 236297
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 236094
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235953
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235844
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235719
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235609
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235484
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235375
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235250
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235141
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 235016
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234906
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234797
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234672
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234547
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234438
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234313
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234188
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 234063
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 233938
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 233781
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 233547
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 233297
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 233141
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 233031
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232906
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232766
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232656
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232531
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232406
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232297
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232188
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 232047
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231922
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231813
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231641
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231500
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231391
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231250
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231141
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 231000
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230890
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230781
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230656
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230547
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230438
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230328
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230219
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 230094
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 229984
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 229875
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 229766
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 229656
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Thread delayed: delay time: 229547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: MSBuild.exe, 00000013.00000002.491135295.00000000072E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: MSBuild.exe, 00000013.00000002.491135295.00000000072E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000013.00000002.491135295.00000000072E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: MSBuild.exe, 00000013.00000003.359697171.00000000013F8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 00000013.00000002.491135295.00000000072E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: dhcpmon.exe.19.dr, Microsoft.Build/Shared/NativeMethodsShared.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 19.0.MSBuild.exe.400000.1.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs	Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs	Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Source: 19.0.MSBuild.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs	Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Source: 26.0.dhcpmon.exe.600000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 26.2.dhcpmon.exe.600000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rOKWrJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp76E9.tmp'
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp604E.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6502.tmp'

Source: MSBuild.exe, 00000013.00000002.485674376.00000000032C4000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000013.00000002.483060667.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000013.00000002.483060667.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: MSBuild.exe, 00000013.00000002.485327364.0000000003231000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHa(l
Source: MSBuild.exe, 00000013.00000002.483060667.0000000001A60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: MSBuild.exe, 00000013.00000002.486305306.00000000033E6000.00000004.00000001.sdmp	Binary or memory string: Program Managerd4
Source: MSBuild.exe, 00000013.00000002.483744566.000000000310A000.00000004.00000001.sdmp	Binary or memory string: Program ManagerD$(l
Source: MSBuild.exe, 00000013.00000002.485674376.00000000032C4000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000013.00000002.484248659.0000000003185000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHa(l(

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Users\user\Desktop\xtxr8lHa5F.exe VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\xtxr8lHa5F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 19_2_071F0040 GetSystemTimes,

Source: C:\Users\user\Desktop\xtxr8lHa5F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.487426729.0000000004169000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xtxr8lHa5F.exe PID: 5352, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5268, type: MEMORY
Source: Yara match	File source: 19.2.MSBuild.exe.6a10000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.6a10000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.6a14629.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xtxr8lHa5F.exe.47d1b78.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.4171e56.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.4182eb4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.4176c82.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xtxr8lHa5F.exe.47d1b78.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: xtxr8lHa5F.exe, 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000013.00000002.490432497.00000000069E0000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: MSBuild.exe, 00000013.00000002.490307408.0000000006990000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: MSBuild.exe, 00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: MSBuild.exe, 00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: MSBuild.exe, 00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.487426729.0000000004169000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xtxr8lHa5F.exe PID: 5352, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5268, type: MEMORY
Source: Yara match	File source: 19.2.MSBuild.exe.6a10000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.6a10000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.6a14629.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xtxr8lHa5F.exe.47d1b78.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.4171e56.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.4182eb4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.4176c82.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xtxr8lHa5F.exe.47d1b78.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job11	Process Injection12	Masquerading2	Input Capture11	System Time Discovery1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job11	Boot or Logon Initialization Scripts	Scheduled Task/Job11	Disable or Modify Tools1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Security Software Discovery221	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Virtualization/Sandbox Evasion31	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xtxr8lHa5F.exe	50%	Virustotal		Browse
xtxr8lHa5F.exe	37%	Metadefender		Browse
xtxr8lHa5F.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\rOKWrJ.exe	37%	Metadefender		Browse
C:\Users\user\AppData\Roaming\rOKWrJ.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
19.2.MSBuild.exe.6a10000.21.unpack	100%	Avira	TR/NanoCore.fadte	Download File
19.0.MSBuild.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
19.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
19.0.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.comy	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr-e	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr3	0%	Avira URL Cloud	safe
http://www.sandoll.co.krLn	0%	Avira URL Cloud	safe
http://www.fontbureau.comceva	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://fontfabrik.comH	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.zhongyict.coJJl	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.founder.com.cn/cnt	0%	URL Reputation	safe
http://www.founder.com.cn/cnt	0%	URL Reputation	safe
http://www.founder.com.cn/cnt	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
82.64.141.173	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.tiro.com)	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
82.64.141.173	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	xtxr8lHa5F.exe, 00000000.00000003.214659761.0000000005DB3000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comy	xtxr8lHa5F.exe, 00000000.00000003.212501401.0000000005DA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr-e	xtxr8lHa5F.exe, 00000000.00000003.213056039.0000000005DA6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr3	xtxr8lHa5F.exe, 00000000.00000003.213056039.0000000005DA6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.krLn	xtxr8lHa5F.exe, 00000000.00000003.213056039.0000000005DA6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersW	xtxr8lHa5F.exe, 00000000.00000003.219470787.0000000005DD5000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comceva	xtxr8lHa5F.exe, 00000000.00000002.296418748.0000000001050000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false		high
http://fontfabrik.comH	xtxr8lHa5F.exe, 00000000.00000003.211876617.0000000005DBB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://en.w	xtxr8lHa5F.exe, 00000000.00000003.215069252.0000000005DA6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	xtxr8lHa5F.exe, 00000000.00000003.211876617.0000000005DBB000.00000004.00000001.sdmp, xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersers	xtxr8lHa5F.exe, 00000000.00000003.218866529.0000000005DD5000.00000004.00000001.sdmp	false		high
http://www.zhongyict.coJJl	xtxr8lHa5F.exe, 00000000.00000003.214926823.0000000005DAD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnt	xtxr8lHa5F.exe, 00000000.00000003.213412323.0000000005DDD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersiva$M4n	xtxr8lHa5F.exe, 00000000.00000003.224743088.0000000005DDD000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designerswMin(	xtxr8lHa5F.exe, 00000000.00000003.224801303.0000000005DDD000.00000004.00000001.sdmp	false		high
http://www.fonts.com	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	xtxr8lHa5F.exe, 00000000.00000003.213112990.0000000005DDD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com)	xtxr8lHa5F.exe, 00000000.00000003.212501401.0000000005DA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.urwpp.deDPlease	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	xtxr8lHa5F.exe, 00000000.00000003.214926823.0000000005DAD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	xtxr8lHa5F.exe, 00000000.00000002.296654463.00000000029C1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	xtxr8lHa5F.exe, 00000000.00000002.304317332.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/	xtxr8lHa5F.exe, 00000000.00000003.218605869.0000000005DD5000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers$M4n	xtxr8lHa5F.exe, 00000000.00000003.218605869.0000000005DD5000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
82.64.141.173	unknown	France		12322	PROXADFR	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432024
Start date:	09.06.2021
Start time:	16:56:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 39s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	xtxr8lHa5F.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@20/14@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.9% (good quality ratio 0.8%) Quality average: 40.9% Quality standard deviation: 22.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.147.198.201, 92.122.145.220, 13.64.90.137, 168.61.161.212, 184.30.20.56, 20.82.210.154, 2.20.142.210, 2.20.142.209, 20.54.26.129, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:57:37	API Interceptor	304x Sleep call for process: xtxr8lHa5F.exe modified
16:58:22	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" s>$(Arg0)
16:58:22	API Interceptor	690x Sleep call for process: MSBuild.exe modified
16:58:22	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
16:58:23	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PROXADFR	XPChvE6GQd	Get hash	malicious	Browse	91.174.106.122
	networkservice.exe	Get hash	malicious	Browse	78.199.3.202
	z3hir.bin	Get hash	malicious	Browse	78.206.151.134
	IMG001.exe	Get hash	malicious	Browse	82.231.211.245
	h15v4Z591T.exe	Get hash	malicious	Browse	212.27.48.10
	73V5c6ESki.exe	Get hash	malicious	Browse	212.27.48.10
	Thq0FVrAAZ.exe	Get hash	malicious	Browse	212.27.48.10
	FB11.exe	Get hash	malicious	Browse	91.160.55.21
	1.sh	Get hash	malicious	Browse	62.147.248.49
	PDFXCview.exe	Get hash	malicious	Browse	88.188.224.42
	HUahIwV82u.exe	Get hash	malicious	Browse	82.64.20.171
	kYfGJIQBJ3.exe	Get hash	malicious	Browse	78.198.121.158
	Io8ic2291n.doc	Get hash	malicious	Browse	78.206.229.130
	wEcncyxrEe	Get hash	malicious	Browse	78.199.170.243
	mozi.a.zip	Get hash	malicious	Browse	82.253.85.237
	WUHU95Apq3	Get hash	malicious	Browse	78.253.18.229
	bin.sh	Get hash	malicious	Browse	78.239.138.225
	evapi.exe	Get hash	malicious	Browse	82.64.68.235
	mssecsvr.exe	Get hash	malicious	Browse	78.200.246.23
	i	Get hash	malicious	Browse	91.166.162.40

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	GpnPv433gb.exe	Get hash	malicious	Browse
	MPT Q2106-0405.exe	Get hash	malicious	Browse
	http___pbfoa.org_d.exe	Get hash	malicious	Browse
	4.exe	Get hash	malicious	Browse
	Payment Copy.exe	Get hash	malicious	Browse
	SOA.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-1901114328710090.pdf.exe	Get hash	malicious	Browse
	SOA.exe	Get hash	malicious	Browse
	4Vy2EGhzNF.exe	Get hash	malicious	Browse
	PO-13916.jpeg.exe	Get hash	malicious	Browse
	Balance Payment.exe	Get hash	malicious	Browse
	updated statement.exe	Get hash	malicious	Browse
	Quotation.exe	Get hash	malicious	Browse
	DHL On Demand Delivery.exe	Get hash	malicious	Browse
	DHL On Demand Delivery.pdf.exe	Get hash	malicious	Browse
	S4aES2mPdl.exe	Get hash	malicious	Browse
	Remcos Professional Cracked By Alcatraz3222.exe	Get hash	malicious	Browse
	shipping documents.exe	Get hash	malicious	Browse
	e98ba3ccd39858a7416e4769ae962ce5.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-190111432879905.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	261728
Entropy (8bit):	6.1750840449797675
Encrypted:	false
SSDEEP:	3072:Mao0QHGUQWWimj9q/NLpj/WWqvAw2XpFU4rwOe4ubZSif02RFi/x2uv9FeP:boZTTWxxqVpqWVRXfr802biprVu
MD5:	D621FD77BD585874F9686D3A76462EF1
SHA1:	ABCAE05EE61EE6292003AABD8C80583FA49EDDA2
SHA-256:	2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
SHA-512:	2D85A81D708ECC8AF9A1273143C94DA84E632F1E595E22F54B867225105A1D0A44F918F0FAE6F1EB15ECF69D75B6F4616699776A16A2AA8B5282100FD15CA74C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: GpnPv433gb.exe, Detection: malicious, Browse Filename: MPT Q2106-0405.exe, Detection: malicious, Browse Filename: http___pbfoa.org_d.exe, Detection: malicious, Browse Filename: 4.exe, Detection: malicious, Browse Filename: Payment Copy.exe, Detection: malicious, Browse Filename: SOA.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-1901114328710090.pdf.exe, Detection: malicious, Browse Filename: SOA.exe, Detection: malicious, Browse Filename: 4Vy2EGhzNF.exe, Detection: malicious, Browse Filename: PO-13916.jpeg.exe, Detection: malicious, Browse Filename: Balance Payment.exe, Detection: malicious, Browse Filename: updated statement.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: DHL On Demand Delivery.exe, Detection: malicious, Browse Filename: DHL On Demand Delivery.pdf.exe, Detection: malicious, Browse Filename: S4aES2mPdl.exe, Detection: malicious, Browse Filename: Remcos Professional Cracked By Alcatraz3222.exe, Detection: malicious, Browse Filename: shipping documents.exe, Detection: malicious, Browse Filename: e98ba3ccd39858a7416e4769ae962ce5.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-190111432879905.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z.........."...0..\|...B......n.... ........@.. ....................................`.....................................O........>..............`>.......................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B................P.......H.......8)...................\|..........................................{.......v.(=....r...p({...-..+..}........0..%........(....-......(z.....&..}..............................0..5........(....-...-.r+..ps>...z.....i(z.....&..}......................%......>....(?...(....N..(@....oA...(....:...(B...(....:...(C...(....*....(........0..G........(....,....(....-...}......r...p(x...&.(v.....}......&..}....................7.......0..f........-.r7..ps>...z .....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	841
Entropy (8bit):	5.356220854328477
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoIvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHwvEHxDqHj
MD5:	486580834B084C92AE1F3866166C9C34
SHA1:	C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF
SHA-256:	65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB
SHA-512:	2C54B638A52AA87F47CAB50859EFF98F07DA02993A596686B5617BA99E73ABFCD104F0F33209E24AFB32E66B4B8A225D4DB2CC79631540C21E7E8C4573DFD457
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1037
Entropy (8bit):	5.371216502395632
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7KvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHhAHKzvKvEHxD0
MD5:	C7F28B87C2CAD111D929CB9A0FF822F8
SHA1:	C2CF9E7A3F6EFD9000FE76EBE54E4E9AE5754267
SHA-256:	D1B02C20EACF464229AB063FA947A525E2ED7772259A8F70C7205DC13599EAE6
SHA-512:	E0F35874E02AB672CFF0553A0DA0864DAB14C05733D06395E4D0C9CDFC6F445E940310F8D01E3E1B28895F636DFBC1F510E103D1C46818400BA4E7371D8F254D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Temp\tmp604E.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.137611098420233
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0moxtn:cbk4oL600QydbQxIYODOLedq3Zoj
MD5:	3E2B26ED8B75AE83A269595180E84EF6
SHA1:	D30A0335FCCE406BCA8BA5764288235E6192F608
SHA-256:	108BE30AEB8EB31C185A39A6726F26DACBC4E4124951C61A29ADE4B7038C71EA
SHA-512:	B6981C68FCB886CC8379A068B96931B9D4F5CC5AA9BDC467E36C4168FE6C5273A2A84D8850B12C11703EC03AC6B1F1950D1E669EFCB59FC2402CE4BBA9DC03D3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp6502.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp76E9.tmp Download File
Process:	C:\Users\user\Desktop\xtxr8lHa5F.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.186784683335912
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBItn:cbh47TlNQ//rydbz9I3YODOLNdq3I
MD5:	EE08731F2635FB10A5E1E6F0747AB40F
SHA1:	E0D3F0D3F2177ECC73C45479FA66DFC14C5306DF
SHA-256:	E441C2F354D1D3AA8DA9E3B2CB2737C95905B88DF668C2F9D111C9A4D2025E52
SHA-512:	F4504B5AAA6354ED918586F2DEF5A21DB83F9EEBC7121FBC8B3FB4370A3B8BD06E5315ED35AA3D094C83B360CE6431FC22B808627F56DF866F6ADDEF76C84023
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	1856
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
MD5:	838CD9DBC78EA45A5406EAE23962086D
SHA1:	C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
SHA-256:	6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
SHA-512:	F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:i18tn:i18n
MD5:	8531FB0CEC5F18EBD29FF0B57BC853B0
SHA1:	D7ACB93014DF7917C55380CE5F8E2C10D0E12EBE
SHA-256:	A393F6022ED56CAF64A0865D97006C38620212D769CE5EA8B924683B700A1754
SHA-512:	E758D525129048796999A0AF64054AF4CC54096DEDE42D4D2D0375F91847AF4DEAC2019606E4E15D31ED9462CED8718A8E088F86856D1DEA8ADDE395FAE9ED53
Malicious:	true
Preview:	...u.+.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.221928094887364
Encrypted:	false
SSDEEP:	3:9bzY6oRDMjmPl:RzWDMCd
MD5:	AE0F5E6CE7122AF264EC533C6B15A27B
SHA1:	1265A495C42EED76CC043D50C60C23297E76CCE1
SHA-256:	73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
SHA-512:	DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
Malicious:	false
Preview:	9iH...}Z.4..f..... 8.j....\|.&X..e.F.*.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.887726803973036
Encrypted:	false
SSDEEP:	3:oMty8WddSJ8:oMLW6C
MD5:	6ECAFC0490DAB08E4A288E0042B6B613
SHA1:	4A4529907588505FC65CC9933980CFE6E576B3D6
SHA-256:	DC5F76FBF44B3E6CDDC14EA9E5BB9B6BD3A955197FE13F33F7DDA7ECC08E79E0
SHA-512:	7DA2B02627A36C8199814C250A1FBD61A9C18E098F8D691C11D75044E7F51DBD52C31EC2E1EA8CDEE5077ADCCB8CD247266F191292DB661FE7EA1B613FC646F8
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\user\AppData\Roaming\rOKWrJ.exe Download File
Process:	C:\Users\user\Desktop\xtxr8lHa5F.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1245184
Entropy (8bit):	7.948556128818863
Encrypted:	false
SSDEEP:	24576:4ZBPnHeenJNTfyZbKldRTBeRmZPpYKH2k4mLM:4BeWTfyZbqdR1eCYQ4
MD5:	C89C05D0F2853FA30B535AA2544006E5
SHA1:	2E3A6ADC296D26732A3C61AC761052B8793F7DA0
SHA-256:	B2EC2E506BC9741873E39CC6FDC07802A1180136657582AE807D5F6112CFC02A
SHA-512:	BA3ECE975821799AEE081C04ED73027C4D389AD97B237E2F65D454181922EBAC7ECACF08783046A3E51C67CD283118BA57EF6F6BB6F9918F284084EBAE1D3378
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 37%, Browse Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X.`..............0......@........... ........@.. .......................@.......[....@.................................@...O........=................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc....=.......>..................@..@.reloc....... ......................@..B................t.......H.......d...4...............p7..........................................".(.......{...."..}......{...."..}......0............(.........,..r...p(.......+m.......(....s......(........o....t......r=..p(.........5.,..o......&.r...p(............r...p..(....(..............(....7..V..........Ba..........Br.......0...........r+..p.+....0...........r5..p.+....( ...... .d...(!..... .....(!......K..s"...(#....F...($.....(%....~...(&......}......}.....(%....*v...('......o(...}.

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	298
Entropy (8bit):	4.943030742860529
Encrypted:	false
SSDEEP:	6:zx3M1tFAbQtU1R30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13I30ZMt9BFN+QdCT2UftCM+
MD5:	6A9888952541A41F033EB114C24DC902
SHA1:	41903D7C8F31013C44572E09D97B9AAFBBCE77E6
SHA-256:	41A61D0084CD7884BEA1DF02ED9213CB8C83F4034F5C8156FC5B06D6A3E133CE
SHA-512:	E6AC898E67B4052375FDDFE9894B26D504A7827917BF3E02772CFF45C3FA7CC5E0EFFDC701D208E0DB89F05E42F195B1EC890F316BEE5CB8239AB45444DAA65E
Malicious:	false
Preview:	Microsoft (R) Build Engine version 4.7.3056.0..[Microsoft .NET Framework, version 4.0.30319.42000]..Copyright (C) Microsoft Corporation. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.948556128818863
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	xtxr8lHa5F.exe
File size:	1245184
MD5:	c89c05d0f2853fa30b535aa2544006e5
SHA1:	2e3a6adc296d26732a3c61ac761052b8793f7da0
SHA256:	b2ec2e506bc9741873e39cc6fdc07802a1180136657582ae807d5f6112cfc02a
SHA512:	ba3ece975821799aee081c04ed73027c4d389ad97b237e2f65d454181922ebac7ecacf08783046a3e51c67cd283118ba57ef6f6bb6f9918f284084ebae1d3378
SSDEEP:	24576:4ZBPnHeenJNTfyZbKldRTBeRmZPpYKH2k4mLM:4BeWTfyZbqdR1eCYQ4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X.`..............0......@........... ........@.. .......................@.......[....@................................

File Icon


Icon Hash:	c4e0696969796843

Static PE Info

General
Entrypoint:	0x52dc92
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60BA58E6 [Fri Jun 4 16:46:30 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12dc40	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12e000	0x3db0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x132000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12db08	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x12bcb0	0x12be00	False	0.948363901626	data	7.95223164837	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x12e000	0x3db0	0x3e00	False	0.926033266129	data	7.68775853308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x132000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x12e138	0x3938	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x131a70	0x14	data
RT_VERSION	0x131a84	0x32c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015
Assembly Version	1.0.0.0
InternalName	PH8v.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	WinFormsFBWintask
ProductVersion	1.0.0.0
FileDescription	WinFormsFBWintask
OriginalFilename	PH8v.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/09/21-16:58:25.207531	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49728	6666	192.168.2.3	82.64.141.173
06/09/21-16:58:32.018797	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49729	6666	192.168.2.3	82.64.141.173
06/09/21-16:58:38.035640	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49730	6666	192.168.2.3	82.64.141.173
06/09/21-16:58:44.066081	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49732	6666	192.168.2.3	82.64.141.173
06/09/21-16:58:50.004987	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49738	6666	192.168.2.3	82.64.141.173
06/09/21-16:58:56.037031	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49739	6666	192.168.2.3	82.64.141.173
06/09/21-16:59:03.038875	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49740	6666	192.168.2.3	82.64.141.173
06/09/21-16:59:09.644432	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49741	6666	192.168.2.3	82.64.141.173
06/09/21-16:59:15.672476	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	6666	192.168.2.3	82.64.141.173
06/09/21-16:59:21.725158	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	6666	192.168.2.3	82.64.141.173
06/09/21-16:59:27.712404	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49746	6666	192.168.2.3	82.64.141.173
06/09/21-16:59:34.173339	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49747	6666	192.168.2.3	82.64.141.173
06/09/21-16:59:40.286502	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49748	6666	192.168.2.3	82.64.141.173
06/09/21-16:59:46.274972	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49749	6666	192.168.2.3	82.64.141.173

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2021 16:57:33.628858089 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:33.629214048 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:33.629300117 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:33.629395962 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:33.629430056 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:33.629452944 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:33.629561901 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:33.629626036 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:33.666960001 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.666994095 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.667005062 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.667098999 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:33.667733908 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.667752981 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.667956114 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.668067932 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.668612003 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.668749094 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.668808937 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:33.669581890 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.669603109 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.669614077 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.669686079 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:33.669914007 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.669998884 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.705794096 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.706057072 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.789659977 CEST	443	49683	204.79.197.200	192.168.2.3
Jun 9, 2021 16:57:33.789736986 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:56.303672075 CEST	49687	443	192.168.2.3	184.30.21.219
Jun 9, 2021 16:57:56.303759098 CEST	49688	80	192.168.2.3	93.184.220.29
Jun 9, 2021 16:57:56.346215010 CEST	49683	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:56.347877026 CEST	49684	80	192.168.2.3	93.184.220.29
Jun 9, 2021 16:57:56.378303051 CEST	49694	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:57:56.378386974 CEST	49693	443	192.168.2.3	204.79.197.200
Jun 9, 2021 16:58:05.091290951 CEST	443	49678	20.190.160.75	192.168.2.3
Jun 9, 2021 16:58:05.173636913 CEST	443	49733	20.190.160.75	192.168.2.3
Jun 9, 2021 16:58:23.878735065 CEST	49681	80	192.168.2.3	93.184.221.240
Jun 9, 2021 16:58:23.920917034 CEST	80	49681	93.184.221.240	192.168.2.3
Jun 9, 2021 16:58:23.922202110 CEST	49681	80	192.168.2.3	93.184.221.240
Jun 9, 2021 16:58:24.798937082 CEST	49686	80	192.168.2.3	84.53.167.113
Jun 9, 2021 16:58:24.799076080 CEST	49685	443	192.168.2.3	2.17.179.193
Jun 9, 2021 16:58:24.841373920 CEST	443	49685	2.17.179.193	192.168.2.3
Jun 9, 2021 16:58:24.841396093 CEST	443	49685	2.17.179.193	192.168.2.3
Jun 9, 2021 16:58:24.841428041 CEST	80	49686	84.53.167.113	192.168.2.3
Jun 9, 2021 16:58:24.841439009 CEST	49685	443	192.168.2.3	2.17.179.193
Jun 9, 2021 16:58:24.841479063 CEST	49685	443	192.168.2.3	2.17.179.193
Jun 9, 2021 16:58:24.841495037 CEST	49686	80	192.168.2.3	84.53.167.113
Jun 9, 2021 16:58:24.886971951 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:24.947665930 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:24.947789907 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:25.207530975 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:25.272695065 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:25.283700943 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:25.343135118 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:25.374186993 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:25.457417965 CEST	80	49679	93.184.220.29	192.168.2.3
Jun 9, 2021 16:58:25.457542896 CEST	49679	80	192.168.2.3	93.184.220.29
Jun 9, 2021 16:58:25.479621887 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:25.479881048 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:25.580131054 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:25.583965063 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:25.660335064 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:25.720210075 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:25.800565958 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:25.869061947 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:25.973047018 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:26.011317015 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:26.070749044 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:26.072696924 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:26.131933928 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:26.298748016 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:26.657011986 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:26.764899969 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:26.991673946 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:27.093017101 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:27.093075037 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:27.202115059 CEST	6666	49728	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:27.832046032 CEST	49728	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:31.958240986 CEST	49729	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:32.017805099 CEST	6666	49729	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:32.018068075 CEST	49729	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:32.018796921 CEST	49729	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:32.085375071 CEST	6666	49729	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:32.100327969 CEST	49729	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:32.161004066 CEST	6666	49729	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:32.162120104 CEST	49729	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:32.265333891 CEST	6666	49729	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:32.372282982 CEST	6666	49729	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:32.373181105 CEST	49729	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:32.433351040 CEST	6666	49729	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:32.443183899 CEST	49729	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:32.503273964 CEST	6666	49729	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:32.505208969 CEST	49729	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:32.564604044 CEST	6666	49729	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:32.564718008 CEST	49729	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:32.671423912 CEST	6666	49729	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:32.956116915 CEST	49729	6666	192.168.2.3	82.64.141.173
Jun 9, 2021 16:58:33.063976049 CEST	6666	49729	82.64.141.173	192.168.2.3
Jun 9, 2021 16:58:33.111573935 CEST	6666	49729	82.64.141.173	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2021 16:57:29.613032103 CEST	51281	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:29.664172888 CEST	53	51281	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:30.541265965 CEST	49199	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:30.594149113 CEST	53	49199	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:31.480681896 CEST	50620	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:31.532385111 CEST	53	50620	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:31.692465067 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:31.755882025 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:32.948966980 CEST	60152	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:33.001765013 CEST	53	60152	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:34.006227970 CEST	57544	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:34.056139946 CEST	53	57544	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:34.913014889 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:34.962992907 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:35.827965975 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:35.879328012 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:36.654052019 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:36.708568096 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:37.585887909 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:37.635910034 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:38.725214005 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:38.778487921 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:40.143404007 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:40.196477890 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:41.098058939 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:41.159636021 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:42.543603897 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:42.601840019 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:43.524739027 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:43.577733040 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:44.504780054 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:44.555285931 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:45.595212936 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:45.647730112 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:46.504523993 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:46.562860012 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:47.967144012 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:48.017147064 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 9, 2021 16:57:49.246535063 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:57:49.296648026 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 9, 2021 16:58:03.015013933 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:58:03.073262930 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 9, 2021 16:58:05.950804949 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:58:06.020395041 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 9, 2021 16:58:24.036393881 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:58:24.098020077 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 9, 2021 16:58:43.167129040 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:58:43.233901024 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 9, 2021 16:58:46.928185940 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:58:46.991085052 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 9, 2021 16:59:18.198232889 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:59:18.270220041 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 9, 2021 16:59:19.266494989 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 9, 2021 16:59:19.333344936 CEST	53	55435	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: xtxr8lHa5F.exe PID: 5352 Parent PID: 5544

General

Start time:	16:57:37
Start date:	09/06/2021
Path:	C:\Users\user\Desktop\xtxr8lHa5F.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\xtxr8lHa5F.exe'
Imagebase:	0x5c0000
File size:	1245184 bytes
MD5 hash:	C89C05D0F2853FA30B535AA2544006E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.300718477.00000000047D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.297955225.00000000039C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 3696 Parent PID: 5352

General

Start time:	16:58:15
Start date:	09/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rOKWrJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp76E9.tmp'
Imagebase:	0xcf0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5256 Parent PID: 3696

General

Start time:	16:58:15
Start date:	09/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MSBuild.exe PID: 5260 Parent PID: 5352

General

Start time:	16:58:16
Start date:	09/06/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x7ff6741d0000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: MSBuild.exe PID: 5268 Parent PID: 5352

General

Start time:	16:58:16
Start date:	09/06/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xc40000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.490364012.00000000069C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.490572775.0000000006A10000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.490523889.0000000006A00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.490523889.0000000006A00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.490241521.0000000006970000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.490241521.0000000006970000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.490432497.00000000069E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.490432497.00000000069E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.490460540.00000000069F0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.490460540.00000000069F0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.490307408.0000000006990000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.490307408.0000000006990000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.489013213.0000000005660000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.489013213.0000000005660000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.489410894.0000000005AB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.489410894.0000000005AB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000000.293794804.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.490092332.0000000006860000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.490092332.0000000006860000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.490925199.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.490925199.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.477945079.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000013.00000002.483305536.0000000003021000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.489888733.00000000065C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.489888733.00000000065C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.490328155.00000000069A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.490328155.00000000069A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000000.294410455.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.487426729.0000000004169000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.487426729.0000000004169000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.490998411.0000000006E10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.490998411.0000000006E10000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	moderate

Analysis Process: schtasks.exe PID: 5020 Parent PID: 5268

General

Start time:	16:58:20
Start date:	09/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp604E.tmp'
Imagebase:	0x7ff6741d0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5012 Parent PID: 5020

General

Start time:	16:58:20
Start date:	09/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 3564 Parent PID: 5268

General

Start time:	16:58:21
Start date:	09/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6502.tmp'
Imagebase:	0x8d0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 3016 Parent PID: 3564

General

Start time:	16:58:21
Start date:	09/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MSBuild.exe PID: 3508 Parent PID: 528

General

Start time:	16:58:22
Start date:	09/06/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0
Imagebase:	0x450000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: conhost.exe PID: 1648 Parent PID: 3508

General

Start time:	16:58:23
Start date:	09/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: dhcpmon.exe PID: 1180 Parent PID: 528

General

Start time:	16:58:23
Start date:	09/06/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x600000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: conhost.exe PID: 1260 Parent PID: 1180

General

Start time:	16:58:24
Start date:	09/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exe PID: 3776 Parent PID: 3388

General

Start time:	16:58:30
Start date:	09/06/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x1e0000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 996 Parent PID: 3776

General

Start time:	16:58:31
Start date:	09/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report xtxr8lHa5F.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre