Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report mzyDSLb1u9.exe

Overview

General Information

Sample Name:mzyDSLb1u9.exe
Analysis ID:452311
MD5:922bbf421cd0c9b155f45388db7c8718
SHA1:993cd3bc36c7d903846cf9ee4fb1e8e01dec4947
SHA256:1bf63394fcf232d3a303d17df87252e2f47c43205edadc99ed15a50c9e193ebc
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Protects its processes via BreakOnTermination flag
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mzyDSLb1u9.exe (PID: 6848 cmdline: 'C:\Users\user\Desktop\mzyDSLb1u9.exe' MD5: 922BBF421CD0C9B155F45388DB7C8718)
    • mssvgt.pif (PID: 7104 cmdline: 'C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif' nlcno.gge MD5: 7C81E999E91D1D0F772010DFA4C34923)
      • RegSvcs.exe (PID: 4476 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • schtasks.exe (PID: 5768 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD629.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6760 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpDA12.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • mssvgt.pif (PID: 984 cmdline: 'C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif' C:\Users\user\AppData\Local\Temp\42926996\nlcno.gge MD5: 7C81E999E91D1D0F772010DFA4C34923)
    • RegSvcs.exe (PID: 6744 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • RegSvcs.exe (PID: 768 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6576 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wscript.exe (PID: 6996 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\42926996\Update.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • dhcpmon.exe (PID: 7048 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ba2baad0-dd3f-4844-a1e3-4d042f9a", "Group": "HOBBIT", "Domain1": "strongodss.ddns.net", "Domain2": "185.19.85.175", "Port": 48562, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf99d:$x1: NanoCore.ClientPluginHost
  • 0xf9da:$x2: IClientNetworkHost
  • 0x1350d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xf705:$a: NanoCore
    • 0xf715:$a: NanoCore
    • 0xf949:$a: NanoCore
    • 0xf95d:$a: NanoCore
    • 0xf99d:$a: NanoCore
    • 0xf764:$b: ClientPlugin
    • 0xf966:$b: ClientPlugin
    • 0xf9a6:$b: ClientPlugin
    • 0xf88b:$c: ProjectData
    • 0x10292:$d: DESCrypto
    • 0x17c5e:$e: KeepAlive
    • 0x15c4c:$g: LogClientMessage
    • 0x11e47:$i: get_Connected
    • 0x105c8:$j: #=q
    • 0x105f8:$j: #=q
    • 0x10614:$j: #=q
    • 0x10644:$j: #=q
    • 0x10660:$j: #=q
    • 0x1067c:$j: #=q
    • 0x106ac:$j: #=q
    • 0x106c8:$j: #=q
    0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf1d5:$x1: NanoCore.ClientPluginHost
    • 0xf212:$x2: IClientNetworkHost
    • 0x12d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 136 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.RegSvcs.exe.5740000.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      6.2.RegSvcs.exe.5740000.9.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      6.2.RegSvcs.exe.5750000.10.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1646:$x1: NanoCore.ClientPluginHost
      6.2.RegSvcs.exe.5750000.10.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x1646:$x2: NanoCore.ClientPluginHost
      • 0x1724:$s4: PipeCreated
      • 0x1660:$s5: IClientLoggingHost
      6.2.RegSvcs.exe.3cbb041.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      Click to see the 158 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 4476, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 4476, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Possible Applocker BypassShow sources
      Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif' nlcno.gge, ParentImage: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif, ParentProcessId: 7104, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 4476

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 4476, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 4476, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ba2baad0-dd3f-4844-a1e3-4d042f9a", "Group": "HOBBIT", "Domain1": "strongodss.ddns.net", "Domain2": "185.19.85.175", "Port": 48562, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: strongodss.ddns.netVirustotal: Detection: 11%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifMetadefender: Detection: 20%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifReversingLabs: Detection: 28%
      Multi AV Scanner detection for submitted fileShow sources
      Source: mzyDSLb1u9.exeVirustotal: Detection: 53%Perma Link
      Source: mzyDSLb1u9.exeMetadefender: Detection: 28%Perma Link
      Source: mzyDSLb1u9.exeReversingLabs: Detection: 67%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cbb041.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3fe560b.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cbb041.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.45a1a40.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.45a1a40.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.790000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3fe07ce.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6460000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cb560b.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3feb041.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3feb041.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6464629.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6460000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cb07ce.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.44f4c00.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.44f4c00.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e04c00.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659920002.00000000044F5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662369446.0000000004539000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689820753.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690180075.0000000003E7E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690030414.0000000003D85000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692643816.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.691361381.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660958539.0000000003724000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.901251206.0000000000792000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660913492.0000000003705000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659777206.0000000004476000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690095645.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659743510.00000000044F5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662616297.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.691863501.0000000003D85000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659811723.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689852195.0000000003DD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692788641.0000000003E05000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690118955.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692903177.0000000003DD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.714424502.0000000000A02000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.902994074.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661010431.0000000003727000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.715442161.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.905317731.0000000006460000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690447296.0000000003EB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689909094.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662013671.0000000004441000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690354835.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661068688.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690069103.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662163487.00000000049D2000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661829199.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689784104.0000000003E05000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692445105.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660075291.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661660900.0000000004475000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659878466.0000000004441000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660813067.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660033291.000000000456E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6744, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mssvgt.pif PID: 984, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mssvgt.pif PID: 7104, type: MEMORY
      Source: 16.2.RegSvcs.exe.a00000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.2.RegSvcs.exe.790000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 6.2.RegSvcs.exe.6460000.12.unpackAvira: Label: TR/NanoCore.fadte
      Source: mzyDSLb1u9.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: mzyDSLb1u9.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: mzyDSLb1u9.exe
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000006.00000002.901749097.00000000010DC000.00000004.00000020.sdmp, RegSvcs.exe, 0000000C.00000000.679025853.0000000000BD2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.682942068.00000000002B2000.00000002.00020000.sdmp, RegSvcs.exe, 00000010.00000002.714290939.0000000000632000.00000002.00020000.sdmp, dhcpmon.exe, 00000014.00000002.715465917.00000000001C2000.00000002.00020000.sdmp, dhcpmon.exe.6.dr
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000006.00000002.902381045.0000000002CAA000.00000004.00000001.sdmp, RegSvcs.exe, 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmp
      Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 00000014.00000002.717570199.00000000049B0000.00000002.00000001.sdmp
      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, dhcpmon.exe, RegSvcs.exe, 00000010.00000002.714290939.0000000000632000.00000002.00020000.sdmp, dhcpmon.exe, 00000014.00000002.715465917.00000000001C2000.00000002.00020000.sdmp, dhcpmon.exe.6.dr
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013CA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013E9FD3 FindFirstFileExA,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00ADBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AE2408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AD280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00B08877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AECAE7 FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AC1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AEDE7C FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00ADBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile opened: C:\Users\user
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile opened: C:\Users\user\AppData\Local\Temp\42926996\nlcno.gge
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile opened: C:\Users\user\AppData\Local\Temp\42926996
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile opened: C:\Users\user\AppData
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile opened: C:\Users\user\AppData\Local\Temp
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile opened: C:\Users\user\AppData\Local

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: 185.19.85.175
      Source: Malware configuration extractorURLs: strongodss.ddns.net
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 185.19.85.175 ports 2,4,5,6,8,48562
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: strongodss.ddns.net
      Source: global trafficTCP traffic: 192.168.2.4:49742 -> 185.19.85.175:48562
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AD2285 InternetQueryDataAvailable,InternetReadFile,
      Source: unknownDNS traffic detected: queries for: strongodss.ddns.net
      Source: mssvgt.pif.0.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
      Source: mssvgt.pif.0.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
      Source: mssvgt.pif.0.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
      Source: mssvgt.pif.0.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
      Source: mssvgt.pif.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
      Source: mssvgt.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
      Source: mssvgt.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
      Source: mssvgt.pif.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
      Source: mssvgt.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/0
      Source: mssvgt.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/03
      Source: mssvgt.pif.0.drString found in binary or memory: http://www.globalsign.net/repository09
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AEA0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AFD8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AD42E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,
      Source: RegSvcs.exe, 00000006.00000002.902994074.0000000003CA9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00B0C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cbb041.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3fe560b.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cbb041.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.45a1a40.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.45a1a40.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.790000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3fe07ce.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6460000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cb560b.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3feb041.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3feb041.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6464629.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6460000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cb07ce.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.44f4c00.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.44f4c00.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e04c00.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659920002.00000000044F5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662369446.0000000004539000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689820753.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690180075.0000000003E7E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690030414.0000000003D85000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692643816.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.691361381.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660958539.0000000003724000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.901251206.0000000000792000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660913492.0000000003705000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659777206.0000000004476000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690095645.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659743510.00000000044F5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662616297.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.691863501.0000000003D85000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659811723.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689852195.0000000003DD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692788641.0000000003E05000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690118955.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692903177.0000000003DD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.714424502.0000000000A02000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.902994074.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661010431.0000000003727000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.715442161.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.905317731.0000000006460000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690447296.0000000003EB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689909094.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662013671.0000000004441000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690354835.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661068688.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690069103.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662163487.00000000049D2000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661829199.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689784104.0000000003E05000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692445105.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660075291.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661660900.0000000004475000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659878466.0000000004441000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660813067.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660033291.000000000456E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6744, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mssvgt.pif PID: 984, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mssvgt.pif PID: 7104, type: MEMORY

      Operating System Destruction:

      barindex
      Protects its processes via BreakOnTermination flagShow sources
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: 01 00 00 00

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 6.2.RegSvcs.exe.5740000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.5750000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.3cbb041.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3eb1a40.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3eb1a40.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.RegSvcs.exe.2cb1834.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3eb1a40.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3eb1a40.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.2.RegSvcs.exe.3fe560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 16.2.RegSvcs.exe.3fe560b.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.RegSvcs.exe.3cbb041.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.2cb6888.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.4538a30.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.4538a30.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.3.mssvgt.pif.4538a30.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.4538a30.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.3.mssvgt.pif.3eb1a40.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3eb1a40.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.3.mssvgt.pif.45a1a40.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.45a1a40.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.3.mssvgt.pif.45a1a40.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.45a1a40.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 16.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.RegSvcs.exe.790000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.790000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.RegSvcs.exe.2cb1834.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.4538a30.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.4538a30.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.2.RegSvcs.exe.3fe07ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 16.2.RegSvcs.exe.3fe07ce.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.RegSvcs.exe.6460000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.4538a30.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.4538a30.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.2.RegSvcs.exe.2ff9650.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.3cb560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.3cb560b.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.3.mssvgt.pif.3e48a30.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3e48a30.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.3.mssvgt.pif.3e48a30.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3e48a30.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3e48a30.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.3.mssvgt.pif.3e48a30.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.2.RegSvcs.exe.3feb041.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3e48a30.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3e48a30.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.2.RegSvcs.exe.3feb041.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.6464629.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.6460000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3e48a30.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3e48a30.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.RegSvcs.exe.3cb07ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.3cb07ce.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.3.mssvgt.pif.4538a30.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.4538a30.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.3.mssvgt.pif.4538a30.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.4538a30.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.3.mssvgt.pif.44f4c00.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.44f4c00.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.3.mssvgt.pif.3e48a30.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3e48a30.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.RegSvcs.exe.3cb07ce.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 16.2.RegSvcs.exe.3fe07ce.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.44f4c00.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.44f4c00.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.3.mssvgt.pif.3e48a30.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3e48a30.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.2.RegSvcs.exe.2ff9650.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3e04c00.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3e04c00.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.2.RegSvcs.exe.2ffe6b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.4538a30.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.4538a30.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.3.mssvgt.pif.4538a30.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.3.mssvgt.pif.4538a30.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.3.mssvgt.pif.3eb1a40.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3eb1a40.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.3.mssvgt.pif.3e48a30.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.3.mssvgt.pif.3e48a30.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.905012001.0000000005740000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.659920002.00000000044F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.659920002.00000000044F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.662369446.0000000004539000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.662369446.0000000004539000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.689820753.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.689820753.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.690180075.0000000003E7E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.690180075.0000000003E7E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.690030414.0000000003D85000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.690030414.0000000003D85000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.692643816.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.692643816.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.691361381.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.691361381.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.660958539.0000000003724000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.660958539.0000000003724000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.901251206.0000000000792000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.901251206.0000000000792000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.660913492.0000000003705000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.660913492.0000000003705000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.659777206.0000000004476000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.659777206.0000000004476000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.905032778.0000000005750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.690095645.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.690095645.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.659743510.00000000044F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.659743510.00000000044F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.662616297.00000000044C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.662616297.00000000044C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.691863501.0000000003D85000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.691863501.0000000003D85000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.659811723.00000000044C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.659811723.00000000044C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.689852195.0000000003DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.689852195.0000000003DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.692788641.0000000003E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.692788641.0000000003E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.690118955.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.690118955.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.692903177.0000000003DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.692903177.0000000003DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000002.714424502.0000000000A02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000010.00000002.714424502.0000000000A02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.902994074.0000000003CA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.661010431.0000000003727000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.661010431.0000000003727000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000002.715442161.0000000003F99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.905317731.0000000006460000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.690447296.0000000003EB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.690447296.0000000003EB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.689909094.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.689909094.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.662013671.0000000004441000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.662013671.0000000004441000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.690354835.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.690354835.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.661068688.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.661068688.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.690069103.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.690069103.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.662163487.00000000049D2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.662163487.00000000049D2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.661829199.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.661829199.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.689784104.0000000003E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.689784104.0000000003E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000003.692445105.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000003.692445105.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.660075291.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.660075291.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.661660900.0000000004475000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.661660900.0000000004475000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.659878466.0000000004441000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.659878466.0000000004441000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.660813067.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.660813067.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000003.660033291.000000000456E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000003.660033291.000000000456E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 6744, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegSvcs.exe PID: 6744, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: mssvgt.pif PID: 984, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: mssvgt.pif PID: 984, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: mssvgt.pif PID: 7104, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: mssvgt.pif PID: 7104, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013C6FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AD6219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AC33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013C83C0
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013D626D
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013E0113
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013EC0B0
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013C30FC
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013D33D3
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DF3CA
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013CE510
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013EC55E
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013E0548
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013CF5C5
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013F0654
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013D364E
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013D66A2
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013C2692
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013D397F
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013CE973
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013D589E
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DF8C6
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013CDADD
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013CBAD1
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013C5D7E
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013E3CBA
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DFCDE
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013D6CDB
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013CDF12
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013C3EAD
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013E3EE9
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00A935F0
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00A998F0
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AA2136
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AAA137
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AB427D
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00ADF3A6
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00A998F0
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AA2508
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AD655F
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AA3721
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00A9F730
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AB088F
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AA28F0
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AAC8CE
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AA1903
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00ADEAD5
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00B0EA2B
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AB3BA1
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AA1D98
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AB0DE0
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AD2D2D
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AD4EB7
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00ADCE8D
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AB1F2C
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 6_2_0138E471
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 6_2_0138E480
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 6_2_0138BBD4
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 6_2_06800570
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00A998F0
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00A935F0
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AB088F
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AAC8CE
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AAA137
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AA1903
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AB427D
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AB3BA1
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AB0DE0
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AB1F2C
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AA3721
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00A9F730
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: String function: 013DE2F0 appears 31 times
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: String function: 013DD870 appears 35 times
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: String function: 013DD940 appears 51 times
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: String function: 00AA8115 appears 40 times
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: String function: 00AA333F appears 36 times
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: String function: 00A91D10 appears 31 times
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: String function: 00AA14F7 appears 45 times
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: String function: 00AD59E6 appears 70 times
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: String function: 00AA6B90 appears 73 times
      Source: mssvgt.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: mssvgt.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: mssvgt.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: mssvgt.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: mssvgt.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: mssvgt.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: mzyDSLb1u9.exe, 00000000.00000002.650593886.0000000002E70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs mzyDSLb1u9.exe
      Source: mzyDSLb1u9.exe, 00000000.00000002.650719039.0000000002F70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs mzyDSLb1u9.exe
      Source: mzyDSLb1u9.exe, 00000000.00000002.650719039.0000000002F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs mzyDSLb1u9.exe
      Source: mzyDSLb1u9.exe, 00000000.00000002.650146752.0000000001360000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs mzyDSLb1u9.exe
      Source: mzyDSLb1u9.exe, 00000000.00000002.650730045.0000000002F90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs mzyDSLb1u9.exe
      Source: mzyDSLb1u9.exe, 00000000.00000002.650758718.0000000004D00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs mzyDSLb1u9.exe
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeSection loaded: dxgidebug.dll
      Source: mzyDSLb1u9.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 6.2.RegSvcs.exe.5740000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.5740000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.5750000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.5750000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.3cbb041.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.3cbb041.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3eb1a40.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3eb1a40.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3eb1a40.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegSvcs.exe.2cb1834.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.2cb1834.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3eb1a40.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3eb1a40.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3eb1a40.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.2.RegSvcs.exe.3fe560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 16.2.RegSvcs.exe.3fe560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 16.2.RegSvcs.exe.3fe560b.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegSvcs.exe.3cbb041.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.3cbb041.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.2cb6888.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.4538a30.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.4538a30.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.4538a30.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.3.mssvgt.pif.4538a30.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.4538a30.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.4538a30.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.3.mssvgt.pif.3eb1a40.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3eb1a40.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3eb1a40.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.3.mssvgt.pif.45a1a40.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.45a1a40.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.45a1a40.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.3.mssvgt.pif.45a1a40.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.45a1a40.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.45a1a40.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 16.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 16.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegSvcs.exe.790000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.790000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.790000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegSvcs.exe.2cb1834.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.4538a30.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.4538a30.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.4538a30.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.2.RegSvcs.exe.3fe07ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 16.2.RegSvcs.exe.3fe07ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 16.2.RegSvcs.exe.3fe07ce.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegSvcs.exe.6460000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.6460000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.4538a30.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.4538a30.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.4538a30.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.2.RegSvcs.exe.2ff9650.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 16.2.RegSvcs.exe.2ff9650.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.3cb560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.3cb560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.3cb560b.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.3.mssvgt.pif.3e48a30.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3e48a30.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3e48a30.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.3.mssvgt.pif.3e48a30.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3e48a30.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3e48a30.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3e48a30.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3e48a30.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.3.mssvgt.pif.3e48a30.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.2.RegSvcs.exe.3feb041.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 16.2.RegSvcs.exe.3feb041.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3e48a30.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3e48a30.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3e48a30.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.2.RegSvcs.exe.3feb041.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 16.2.RegSvcs.exe.3feb041.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.6464629.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.6464629.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.6460000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.6460000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3e48a30.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3e48a30.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3e48a30.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegSvcs.exe.3cb07ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.3cb07ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.3cb07ce.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.3.mssvgt.pif.4538a30.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.4538a30.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.4538a30.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.3.mssvgt.pif.4538a30.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.4538a30.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.4538a30.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.3.mssvgt.pif.44f4c00.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.44f4c00.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.44f4c00.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.3.mssvgt.pif.3e48a30.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3e48a30.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3e48a30.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegSvcs.exe.3cb07ce.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.3cb07ce.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 16.2.RegSvcs.exe.3fe07ce.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 16.2.RegSvcs.exe.3fe07ce.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.44f4c00.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.44f4c00.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.44f4c00.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.3.mssvgt.pif.3e48a30.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3e48a30.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3e48a30.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.2.RegSvcs.exe.2ff9650.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 16.2.RegSvcs.exe.2ff9650.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3e04c00.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3e04c00.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3e04c00.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.2.RegSvcs.exe.2ffe6b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 16.2.RegSvcs.exe.2ffe6b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.4538a30.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.4538a30.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.4538a30.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.3.mssvgt.pif.4538a30.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.3.mssvgt.pif.4538a30.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.3.mssvgt.pif.4538a30.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.3.mssvgt.pif.3eb1a40.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3eb1a40.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3eb1a40.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.3.mssvgt.pif.3e48a30.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.3.mssvgt.pif.3e48a30.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.3.mssvgt.pif.3e48a30.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.905012001.0000000005740000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.905012001.0000000005740000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000003.659920002.00000000044F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.659920002.00000000044F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.662369446.0000000004539000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.662369446.0000000004539000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.689820753.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.689820753.0000000003D86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.690180075.0000000003E7E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.690180075.0000000003E7E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.690030414.0000000003D85000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.690030414.0000000003D85000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.692643816.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.692643816.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.691361381.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.691361381.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.660958539.0000000003724000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.660958539.0000000003724000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.901251206.0000000000792000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.901251206.0000000000792000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.660913492.0000000003705000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.660913492.0000000003705000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.659777206.0000000004476000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.659777206.0000000004476000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.905032778.0000000005750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.905032778.0000000005750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000003.690095645.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.690095645.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.659743510.00000000044F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.659743510.00000000044F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.662616297.00000000044C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.662616297.00000000044C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.691863501.0000000003D85000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.691863501.0000000003D85000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.659811723.00000000044C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.659811723.00000000044C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.689852195.0000000003DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.689852195.0000000003DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.692788641.0000000003E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.692788641.0000000003E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.690118955.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.690118955.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.692903177.0000000003DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.692903177.0000000003DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000002.714424502.0000000000A02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000010.00000002.714424502.0000000000A02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.902994074.0000000003CA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.661010431.0000000003727000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.661010431.0000000003727000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000002.715442161.0000000003F99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.905317731.0000000006460000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.905317731.0000000006460000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000003.690447296.0000000003EB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.690447296.0000000003EB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.689909094.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.689909094.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.662013671.0000000004441000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.662013671.0000000004441000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.690354835.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.690354835.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.661068688.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.661068688.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.690069103.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.690069103.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.662163487.00000000049D2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.662163487.00000000049D2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.661829199.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.661829199.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.689784104.0000000003E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.689784104.0000000003E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000003.692445105.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000003.692445105.0000000003E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.660075291.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.660075291.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.661660900.0000000004475000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.661660900.0000000004475000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.659878466.0000000004441000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.659878466.0000000004441000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.660813067.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.660813067.0000000004538000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000003.660033291.000000000456E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000003.660033291.000000000456E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 6744, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegSvcs.exe PID: 6744, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: mssvgt.pif PID: 984, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: mssvgt.pif PID: 984, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: mssvgt.pif PID: 7104, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: mssvgt.pif PID: 7104, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegSvcs.exe.790000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 6.2.RegSvcs.exe.790000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.2.RegSvcs.exe.790000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@21/39@6/1
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013C6D06 GetLastError,FormatMessageW,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AC33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AF4AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AED606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00B0557E CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AFE0F6 CoInitialize,CoCreateInstance,CoUninitialize,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013D963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_01
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ba2baad0-dd3f-4844-a1e3-4d042f9ae8b6}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_01
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeFile created: C:\Users\user\AppData\Local\Temp\42926996Jump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\42926996\Update.vbs'
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCommand line argument: sfxname
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCommand line argument: sfxstime
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCommand line argument: STARTDLG
      Source: mzyDSLb1u9.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeFile read: C:\Windows\win.iniJump to behavior
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: mzyDSLb1u9.exeVirustotal: Detection: 53%
      Source: mzyDSLb1u9.exeMetadefender: Detection: 28%
      Source: mzyDSLb1u9.exeReversingLabs: Detection: 67%
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeFile read: C:\Users\user\Desktop\mzyDSLb1u9.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\mzyDSLb1u9.exe 'C:\Users\user\Desktop\mzyDSLb1u9.exe'
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeProcess created: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif 'C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif' nlcno.gge
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD629.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpDA12.tmp'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif 'C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif' C:\Users\user\AppData\Local\Temp\42926996\nlcno.gge
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\42926996\Update.vbs'
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeProcess created: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif 'C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif' nlcno.gge
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD629.tmp'
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpDA12.tmp'
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeFile written: C:\Users\user\AppData\Local\Temp\42926996\qbfcdn.iniJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: mzyDSLb1u9.exeStatic file information: File size 1105214 > 1048576
      Source: mzyDSLb1u9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: mzyDSLb1u9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: mzyDSLb1u9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: mzyDSLb1u9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: mzyDSLb1u9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: mzyDSLb1u9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: mzyDSLb1u9.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: mzyDSLb1u9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: mzyDSLb1u9.exe
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000006.00000002.901749097.00000000010DC000.00000004.00000020.sdmp, RegSvcs.exe, 0000000C.00000000.679025853.0000000000BD2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.682942068.00000000002B2000.00000002.00020000.sdmp, RegSvcs.exe, 00000010.00000002.714290939.0000000000632000.00000002.00020000.sdmp, dhcpmon.exe, 00000014.00000002.715465917.00000000001C2000.00000002.00020000.sdmp, dhcpmon.exe.6.dr
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000006.00000002.902381045.0000000002CAA000.00000004.00000001.sdmp, RegSvcs.exe, 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmp
      Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 00000014.00000002.717570199.00000000049B0000.00000002.00000001.sdmp
      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, dhcpmon.exe, RegSvcs.exe, 00000010.00000002.714290939.0000000000632000.00000002.00020000.sdmp, dhcpmon.exe, 00000014.00000002.715465917.00000000001C2000.00000002.00020000.sdmp, dhcpmon.exe.6.dr
      Source: mzyDSLb1u9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: mzyDSLb1u9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: mzyDSLb1u9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: mzyDSLb1u9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: mzyDSLb1u9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 6.2.RegSvcs.exe.790000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 6.2.RegSvcs.exe.790000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00A9EE30 LoadLibraryA,GetProcAddress,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeFile created: C:\Users\user\AppData\Local\Temp\42926996\__tmp_rar_sfx_access_check_4821234Jump to behavior
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DE336 push ecx; ret
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DD870 push eax; ret
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00ABD53C push 7400ABCFh; iretd
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AA6BD5 push ecx; ret
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AA6BD5 push ecx; ret
      Source: 6.2.RegSvcs.exe.790000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 6.2.RegSvcs.exe.790000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

      Persistence and Installation Behavior:

      barindex
      Drops PE files with a suspicious file extensionShow sources
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeFile created: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifJump to dropped file
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeFile created: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD629.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00B0A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AC43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM autoit scriptShow sources
      Source: Yara matchFile source: Process Memory Space: mssvgt.pif PID: 984, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mssvgt.pif PID: 7104, type: MEMORY
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 1767
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 7651
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: foregroundWindowGot 734
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif TID: 7108Thread sleep count: 73 > 30
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif TID: 7108Thread sleep count: 105 > 30
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif TID: 6832Thread sleep count: 73 > 30
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif TID: 6832Thread sleep count: 101 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6716Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2216Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013CA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013E9FD3 FindFirstFileExA,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00ADBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AE2408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AD280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00B08877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AECAE7 FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AC1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AEDE7C FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00ADBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DD353 VirtualQuery,GetSystemInfo,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile opened: C:\Users\user
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile opened: C:\Users\user\AppData\Local\Temp\42926996\nlcno.gge
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile opened: C:\Users\user\AppData\Local\Temp\42926996
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile opened: C:\Users\user\AppData
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile opened: C:\Users\user\AppData\Local\Temp
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifFile opened: C:\Users\user\AppData\Local
      Source: mssvgt.pif, 00000004.00000003.654028421.0000000003651000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
      Source: mssvgt.pif, 00000004.00000003.673429828.0000000003666000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") Then
      Source: RegSvcs.exe, 00000006.00000002.905644412.0000000006E50000.00000002.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.685590571.00000000054B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.683774298.0000000004B60000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: mssvgt.pif, 0000000A.00000003.698034879.0000000003B42000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe("
      Source: mssvgt.pif, 00000004.00000003.673498136.000000000365D000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe5FB536C7
      Source: nlcno.gge.0.drBinary or memory string: If ProcessExists("VMwaretray.exe") Then
      Source: nlcno.gge.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
      Source: mssvgt.pif, 0000000A.00000003.683718210.0000000003B11000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
      Source: mssvgt.pif, 00000004.00000003.673429828.0000000003666000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then35
      Source: mssvgt.pif, 00000004.00000003.673429828.0000000003666000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then04
      Source: RegSvcs.exe, 00000006.00000002.905644412.0000000006E50000.00000002.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.685590571.00000000054B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.683774298.0000000004B60000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: mssvgt.pif, 0000000A.00000003.698034879.0000000003B42000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe-
      Source: mssvgt.pif, 00000004.00000003.673498136.000000000365D000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe536C7%
      Source: nlcno.gge.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
      Source: mssvgt.pif, 00000004.00000003.673444544.0000000003688000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exeE
      Source: RegSvcs.exe, 00000006.00000002.905418454.00000000065C0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: mssvgt.pif, 00000004.00000003.673444544.0000000003688000.00000004.00000001.sdmpBinary or memory string: VboxService.exe
      Source: mssvgt.pif, 0000000A.00000003.683718210.0000000003B11000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
      Source: mssvgt.pif, 00000004.00000003.654028421.0000000003651000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then;
      Source: nlcno.gge.0.drBinary or memory string: If ProcessExists("VboxService.exe") Then
      Source: mssvgt.pif, 00000004.00000003.655194190.0000000004440000.00000004.00000001.sdmp, mssvgt.pif, 0000000A.00000003.685352616.0000000003D50000.00000004.00000001.sdmp, osmphj.xml.0.drBinary or memory string: 8FIgJ7N0191gPU5217gi574tU48o9QEmUq90wb9lev70EtYsQ8LA5ujQI4R72P5cy8669l
      Source: mssvgt.pif, 00000004.00000003.673444544.0000000003688000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe
      Source: mssvgt.pif, 0000000A.00000003.697244866.0000000003B21000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") ThenLY7
      Source: mssvgt.pif, 0000000A.00000003.683718210.0000000003B11000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
      Source: RegSvcs.exe, 00000006.00000002.905644412.0000000006E50000.00000002.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.685590571.00000000054B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.683774298.0000000004B60000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: mssvgt.pif, 0000000A.00000003.683718210.0000000003B11000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenLY7
      Source: mssvgt.pif, 0000000A.00000002.701323791.0000000000BC8000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\VV
      Source: mssvgt.pif, 00000004.00000003.673303946.0000000003667000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then>
      Source: mssvgt.pif, 0000000A.00000003.698034879.0000000003B42000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exej!
      Source: mssvgt.pif, 0000000A.00000003.698034879.0000000003B42000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exee-
      Source: mssvgt.pif, 0000000A.00000003.683718210.0000000003B11000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") ThenEi
      Source: mssvgt.pif, 0000000A.00000003.698034879.0000000003B42000.00000004.00000001.sdmpBinary or memory string: VboxService.exe
      Source: nlcno.gge.0.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
      Source: RegSvcs.exe, 00000006.00000002.905644412.0000000006E50000.00000002.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.685590571.00000000054B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.683774298.0000000004B60000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AA6374 GetStartupInfoW,__heap_init,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,__wwincmdln,LdrInitializeThunk,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AEA35D BlockInput,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00A9EE30 LoadLibraryA,GetProcAddress,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013E6AF3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013EACA1 GetProcessHeap,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DE643 SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DE7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013E7BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AAF170 SetUnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AAA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AA7CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AAA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 10_2_00AA7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 790000 protect: page execute and read and write
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: A00000 protect: page execute and read and write
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 790000 value starts with: 4D5A
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: A00000 value starts with: 4D5A
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 790000
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 552000
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: A00000
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 901000
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AC6C61 LogonUserW,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00A9D7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AC43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AC3321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeProcess created: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif 'C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif' nlcno.gge
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD629.tmp'
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpDA12.tmp'
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AD602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
      Source: mssvgt.pif, 00000004.00000003.673444544.0000000003688000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.902464242.0000000002D5C000.00000004.00000001.sdmp, mssvgt.pif, 0000000A.00000003.698034879.0000000003B42000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: RegSvcs.exe, 00000006.00000002.902464242.0000000002D5C000.00000004.00000001.sdmpBinary or memory string: Program ManagerD2i
      Source: RegSvcs.exe, 00000006.00000002.905523255.00000000067FC000.00000004.00000001.sdmpBinary or memory string: Program Managerd
      Source: mssvgt.pif.0.drBinary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
      Source: mssvgt.pif, RegSvcs.exe, 00000006.00000002.902227136.0000000001750000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: RegSvcs.exe, 00000006.00000002.902227136.0000000001750000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: mssvgt.pif, 00000004.00000003.673429828.0000000003666000.00000004.00000001.sdmp, mssvgt.pif, 0000000A.00000003.683718210.0000000003B11000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
      Source: RegSvcs.exe, 00000006.00000002.905392462.00000000065BC000.00000004.00000001.sdmpBinary or memory string: Program Manager 4L
      Source: RegSvcs.exe, 00000006.00000002.902464242.0000000002D5C000.00000004.00000001.sdmpBinary or memory string: Program ManagerHafk
      Source: RegSvcs.exe, 00000006.00000002.902464242.0000000002D5C000.00000004.00000001.sdmpBinary or memory string: Program Managerl
      Source: nlcno.gge.0.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
      Source: RegSvcs.exe, 00000006.00000002.902922306.00000000031E1000.00000004.00000001.sdmpBinary or memory string: Program Managerx
      Source: RegSvcs.exe, 00000006.00000002.902227136.0000000001750000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: mssvgt.pif, 00000004.00000002.674121578.0000000000B12000.00000002.00020000.sdmp, mssvgt.pif, 0000000A.00000002.700975447.0000000000B12000.00000002.00020000.sdmpBinary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DE34B cpuid
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: GetLocaleInfoW,GetNumberFormatW,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013DCBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00B02BF9 GetUserNameW,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AAE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
      Source: C:\Users\user\Desktop\mzyDSLb1u9.exeCode function: 0_2_013CA995 GetVersionExW,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cbb041.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3fe560b.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cbb041.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.45a1a40.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.45a1a40.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.790000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3fe07ce.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6460000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cb560b.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3feb041.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3feb041.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6464629.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6460000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cb07ce.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.44f4c00.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.44f4c00.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e04c00.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659920002.00000000044F5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662369446.0000000004539000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689820753.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690180075.0000000003E7E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690030414.0000000003D85000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692643816.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.691361381.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660958539.0000000003724000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.901251206.0000000000792000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660913492.0000000003705000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659777206.0000000004476000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690095645.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659743510.00000000044F5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662616297.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.691863501.0000000003D85000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659811723.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689852195.0000000003DD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692788641.0000000003E05000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690118955.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692903177.0000000003DD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.714424502.0000000000A02000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.902994074.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661010431.0000000003727000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.715442161.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.905317731.0000000006460000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690447296.0000000003EB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689909094.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662013671.0000000004441000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690354835.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661068688.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690069103.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662163487.00000000049D2000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661829199.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689784104.0000000003E05000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692445105.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660075291.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661660900.0000000004475000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659878466.0000000004441000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660813067.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660033291.000000000456E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6744, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mssvgt.pif PID: 984, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mssvgt.pif PID: 7104, type: MEMORY
      Source: mssvgt.pifBinary or memory string: WIN_XP
      Source: mssvgt.pifBinary or memory string: WIN_XPe
      Source: mssvgt.pifBinary or memory string: WIN_VISTA
      Source: mssvgt.pif.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
      Source: mssvgt.pifBinary or memory string: WIN_7
      Source: mssvgt.pifBinary or memory string: WIN_8

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: mssvgt.pif, 00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000006.00000002.901251206.0000000000792000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000006.00000002.902381045.0000000002CAA000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000006.00000002.902381045.0000000002CAA000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: mssvgt.pif, 0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cbb041.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3fe560b.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cbb041.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.45a1a40.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.45a1a40.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.790000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3fe07ce.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6460000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cb560b.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3feb041.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.RegSvcs.exe.3feb041.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6464629.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6460000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.3cb07ce.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.44f4c00.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.44f4c00.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e04c00.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.mssvgt.pif.4538a30.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3eb1a40.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.3.mssvgt.pif.3e48a30.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659920002.00000000044F5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662369446.0000000004539000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689820753.0000000003D86000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690180075.0000000003E7E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690030414.0000000003D85000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692643816.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.691361381.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660958539.0000000003724000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.901251206.0000000000792000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660913492.0000000003705000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659777206.0000000004476000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690095645.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659743510.00000000044F5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662616297.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.691863501.0000000003D85000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659811723.00000000044C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689852195.0000000003DD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692788641.0000000003E05000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690118955.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692903177.0000000003DD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.714424502.0000000000A02000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.902994074.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661010431.0000000003727000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.715442161.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.905317731.0000000006460000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690447296.0000000003EB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689909094.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662013671.0000000004441000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690354835.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661068688.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.690069103.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.662163487.00000000049D2000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661829199.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.689784104.0000000003E05000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000003.692445105.0000000003E48000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660075291.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.661660900.0000000004475000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.659878466.0000000004441000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660813067.0000000004538000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000003.660033291.000000000456E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6744, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mssvgt.pif PID: 984, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: mssvgt.pif PID: 7104, type: MEMORY
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AFC06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00B065D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,
      Source: C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pifCode function: 4_2_00AF4EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts2Scripting11DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools11Input Capture31System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
      Default AccountsNative API1Valid Accounts2DLL Side-Loading1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture31Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Valid Accounts2Scripting11Security Account ManagerFile and Directory Discovery4SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsScheduled Task/Job1Logon Script (Mac)Access Token Manipulation21Obfuscated Files or Information2NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptProcess Injection312Software Packing12LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonScheduled Task/Job1DLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery121VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol21Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading12DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobValid Accounts2Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion21/etc/passwd and /etc/shadowApplication Window Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation21Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection312Input CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
      Compromise Software Supply ChainUnix ShellLaunchdLaunchdHidden Files and Directories1KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 452311 Sample: mzyDSLb1u9.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 9 other signatures 2->68 9 mzyDSLb1u9.exe 33 2->9         started        13 mssvgt.pif 2->13         started        15 RegSvcs.exe 2 2->15         started        17 3 other processes 2->17 process3 file4 52 C:\Users\user\AppData\Local\...\mssvgt.pif, PE32 9->52 dropped 78 Drops PE files with a suspicious file extension 9->78 19 mssvgt.pif 2 4 9->19         started        80 Writes to foreign memory regions 13->80 82 Allocates memory in foreign processes 13->82 84 Injects a PE file into a foreign processes 13->84 23 RegSvcs.exe 2 13->23         started        25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        signatures5 process6 file7 50 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 19->50 dropped 70 Multi AV Scanner detection for dropped file 19->70 72 Writes to foreign memory regions 19->72 74 Allocates memory in foreign processes 19->74 76 Injects a PE file into a foreign processes 19->76 31 RegSvcs.exe 1 11 19->31         started        signatures8 process9 dnsIp10 54 strongodss.ddns.net 185.19.85.175, 48562, 49742, 49743 DATAWIRE-ASCH Switzerland 31->54 44 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 31->44 dropped 46 C:\Users\user\AppData\Local\...\tmpD629.tmp, XML 31->46 dropped 48 C:\Program Files (x86)\...\dhcpmon.exe, PE32 31->48 dropped 56 Protects its processes via BreakOnTermination flag 31->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 31->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->60 36 schtasks.exe 1 31->36         started        38 schtasks.exe 1 31->38         started        file11 signatures12 process13 process14 40 conhost.exe 36->40         started        42 conhost.exe 38->42         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      mzyDSLb1u9.exe54%VirustotalBrowse
      mzyDSLb1u9.exe34%MetadefenderBrowse
      mzyDSLb1u9.exe68%ReversingLabsWin32.Backdoor.NanoCore

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%VirustotalBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif23%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif29%ReversingLabs
      C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      16.2.RegSvcs.exe.a00000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.2.RegSvcs.exe.790000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      6.2.RegSvcs.exe.6460000.12.unpack100%AviraTR/NanoCore.fadteDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://secure.globalsign.net/cacert/PrimObject.crt00%URL Reputationsafe
      http://secure.globalsign.net/cacert/PrimObject.crt00%URL Reputationsafe
      http://secure.globalsign.net/cacert/PrimObject.crt00%URL Reputationsafe
      http://secure.globalsign.net/cacert/PrimObject.crt00%URL Reputationsafe
      185.19.85.1751%VirustotalBrowse
      185.19.85.1750%Avira URL Cloudsafe
      http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
      http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
      http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
      http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
      http://www.globalsign.net/repository090%URL Reputationsafe
      http://www.globalsign.net/repository090%URL Reputationsafe
      http://www.globalsign.net/repository090%URL Reputationsafe
      http://www.globalsign.net/repository090%URL Reputationsafe
      http://www.globalsign.net/repository/00%URL Reputationsafe
      http://www.globalsign.net/repository/00%URL Reputationsafe
      http://www.globalsign.net/repository/00%URL Reputationsafe
      http://www.globalsign.net/repository/00%URL Reputationsafe
      strongodss.ddns.net11%VirustotalBrowse
      strongodss.ddns.net0%Avira URL Cloudsafe
      http://www.globalsign.net/repository/030%URL Reputationsafe
      http://www.globalsign.net/repository/030%URL Reputationsafe
      http://www.globalsign.net/repository/030%URL Reputationsafe
      http://www.globalsign.net/repository/030%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      strongodss.ddns.net
      		185.19.85.175
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        185.19.85.175true
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        strongodss.ddns.nettrue
        • 11%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://secure.globalsign.net/cacert/PrimObject.crt0mssvgt.pif.0.drfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://secure.globalsign.net/cacert/ObjectSign.crt09mssvgt.pif.0.drfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.globalsign.net/repository09mssvgt.pif.0.drfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.autoitscript.com/autoit3/0mssvgt.pif.0.drfalse
          		high
          http://www.globalsign.net/repository/0mssvgt.pif.0.drfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.globalsign.net/repository/03mssvgt.pif.0.drfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          185.19.85.175
          		strongodss.ddns.netSwitzerland
          		48971DATAWIRE-ASCHfalse

          General Information

          Joe Sandbox Version:33.0.0 White Diamond
          Analysis ID:452311
          Start date:22.07.2021
          Start time:05:16:07
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 13m 57s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:mzyDSLb1u9.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:31
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@21/39@6/1
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 58.2% (good quality ratio 54.4%)
          • Quality average: 78.6%
          • Quality standard deviation: 29%
          HCA Information:
          • Successful, ratio: 59%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
          • Excluded IPs from analysis (whitelisted): 52.255.188.83, 23.211.6.115, 52.147.198.201, 173.222.108.210, 173.222.108.226, 20.82.209.183, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211
          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          05:17:00AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif C:\Users\user\AppData\Local\Temp\42926996\nlcno.gge
          05:17:08AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Local\Temp\42926996\Update.vbs
          05:17:09API Interceptor872x Sleep call for process: RegSvcs.exe modified
          05:17:10Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
          05:17:10Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
          05:17:17AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):45152
          Entropy (8bit):6.149629800481177
          Encrypted:false
          SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
          MD5:2867A3817C9245F7CF518524DFD18F28
          SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
          SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
          SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
          Malicious:false
          Antivirus:
          • Antivirus: Virustotal, Detection: 0%, Browse
          • Antivirus: Metadefender, Detection: 0%, Browse
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):142
          Entropy (8bit):5.090621108356562
          Encrypted:false
          SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
          MD5:8C0458BB9EA02D50565175E38D577E35
          SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
          SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
          SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
          Malicious:false
          Reputation:unknown
          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):142
          Entropy (8bit):5.090621108356562
          Encrypted:false
          SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
          MD5:8C0458BB9EA02D50565175E38D577E35
          SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
          SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
          SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
          Malicious:false
          Reputation:unknown
          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
          C:\Users\user\AppData\Local\Temp\42926996\Update.vbs
          Process:C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif
          File Type:ASCII text, with no line terminators
          Category:modified
          Size (bytes):142
          Entropy (8bit):4.928015689340774
          Encrypted:false
          SSDEEP:3:FER/n0eFH5Ot+kiE2J5xAImccC1CRL0c1t+kiE2J5xAImccBzi:FER/lFHIwkn23fELlwkn23fsm
          MD5:57F868ECBD091E4FDB78520CB92C7CE9
          SHA1:B136BF81EF0CDE1ACB81805F0F720B1B27EA9AAE
          SHA-256:46A47F9E99337DC115456C5D920870A2F2319F96DE3E4FFD77D3EC27C6410E16
          SHA-512:CB788015AE9F6801BC944E5B35501E89AFB3521CE91C4A7D7CF7012AB485682B2EEB277F403468482431D3C798F0A876427DD32885B4A40D7397295B440D821D
          Malicious:false
          Reputation:unknown
          Preview: CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif C:\Users\user\AppData\Local\Temp\42926996\nlcno.gge"
          C:\Users\user\AppData\Local\Temp\42926996\ckmir.docx
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):617
          Entropy (8bit):5.449426819433693
          Encrypted:false
          SSDEEP:12:YNMZFGHeCG9n5Fl8rrLeJx5GsFh7qJhThCBQ2Yg:YNkUPG9nCrrLeRGWhebh2d
          MD5:69C5527A6AEAD551FC9EC27F9B6B7498
          SHA1:EDF1652A6CACDC3491E2B6B8D0031504A70708E1
          SHA-256:FFBABE99CFBD630F4FEA2D4976BE390DBD0BA1D91FD73419BBAD456DFDF642B9
          SHA-512:B995245FB6A5F73143F1B5C075A59F8670D2CA974EA932672396A67B5CDBF22C8917CF33882A9E6CF6B7763E4776C20877B1033202CF4939A728267D569A8DD4
          Malicious:false
          Reputation:unknown
          Preview: K2627..1GA8402dH83YGM26s725062NV6794kd466S36Hj02Nm8100Rhtnpt4F6w62414rhe899..M6MZ4Q7m4UQ7T8V0431C59N..84POy..Jk538ka75F5XH4l8661XM2703d96278zZ5H34Nf525X8p1xPp4w3fS4Z3F5D77C9qDg58kP5p93SK930GVS1yq0..bm3N24M1kk51mQ1Nv3Q7H354t7QGl7pv8K17DD01lf21412ry53WhMGZ4Y0Q7ne773w4cwKKx79y06dmK0x857A2NhN287PM1X8D01W..209386kDem6K..75y004a5W24761AaU62bnVd9N0zs47z060tUE13h89O7g5yf12MNS1Q32jD1J1vlba45p2m02lf5E08e32dW97m43683a2V0s4N98aOj58N3Pd1CdX0zD1sx2I278Ud6tzm7HqAD2qhUa3W..oy135iFp39vI01J83JD0Zq0BzU4Fi865..vVu0O321x7agSf24gX6fXSqzSP6Q117kDN680q1bl66Na5278U9150M8g8i7C6h88FXP8v0eb56C23G907473XZfm2fX015NLYzCYai003rX883P52WKflL..
          C:\Users\user\AppData\Local\Temp\42926996\cwgoehjl.pdf
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):541
          Entropy (8bit):5.479324009317679
          Encrypted:false
          SSDEEP:12:8+sYbXmRDS6+ShLLGvUF/WqSyOXCZMEcUOAlf+cth1iy:8NuaDHRNmki+JcF2rB
          MD5:2826C4C433D5C75761FF6776F84E93A2
          SHA1:372B90A33936691FB879FF904916B18D1D3427BC
          SHA-256:9FB13FC02A504733A6E277DE71D2CAAD43B08400233DEA00A17A13ED452D53A6
          SHA-512:C288814440CEA339E774CF40995E53CFD069B7B2A2CE76E99AD249E9BD816776C4749D5926D9D6EB0018347602C6A55520D79DC9CEBFD24AAA522EE190430091
          Malicious:false
          Reputation:unknown
          Preview: 256c0EoLkX71748g10606T6824oGIjb319843Rps20g9RVMV40xu00U0434NHVj1wJZhY9BH1H6u053L..IY426C46pzu5sdCxH0FJCca4nMTS121xT090C57Ob1I1wKeW2v6YbS9F7dh593B9274AG49214tB21H..v0sd60s9DQJKJ6s709g0D562ROzH7T7m9I2aA6N71cb4y2S593YPW5B541n28Yk9103A6d7605m06ov8L2282pfnbj7311AIY5l9qZk57T9..9u6W8..l4187Rd866J825qGe9vVN6ww4t87J2882A76mtU0R78kVLq16NsWG3g3VE9514x0U380D6h..N2ol35rAU2sD3PDFgU77Oq17l3314..73375lX594S525eVrcv797EKg270Ng7dwrQ04LA047Fd707dh1PI75o2C744O9dB6z4k2r18iv9g7RT5279h5f2o7Q68b0n9171A032Om8t2notsw44Av4JO00q1O83l67V3061A9943pxfF80Zd54WNS1iZ..
          C:\Users\user\AppData\Local\Temp\42926996\fiqhwi.cpl
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):579
          Entropy (8bit):5.514395455746834
          Encrypted:false
          SSDEEP:12:WX15avfwhfrYd33LdeYN0keB5cawzALrWWb80qsQ/FUrUBJEA:6YGfA33LUYykeB5lWsrWWblLi6QBJ1
          MD5:8018EE0EB16AFAE8BA0E390FD5F57614
          SHA1:8104C1E01EC5EDFEC260776A8DEAA713031DE8D1
          SHA-256:B3D59FCD803D678046A6CC622E29450096C58B9CC043FE239FB67EEFA5156162
          SHA-512:D929D64EBD9D2CD62F92FD27C4DA9A1DD452C5D4C82E3345CCEACEAEC0C9D0FDC5033C85EC4CAFD17F579BFAFFFFE9725DF05D066B7A2B6F1D2014243E21F4D6
          Malicious:false
          Reputation:unknown
          Preview: dcm590D385015kDPT64fF5v65125W72LU1Yp0Q3Ykp8e95r8d2Q7Q69L900b92U94Gizdw7fQet6415Chy9u073p59D45JuCs..U876K..9034U0X129e3RQ004775..9Q6Jnydx9XR9tDxuS11nYkuW07VJn7zP65j6y70U2q4l4K7bL8NRb947gOA0mQiMpsj277rdNN..65clLQ8Ck3GFu393W0858kJo29uhUA7N741v8J02fu55D476ka88RJZ0LA7ZT28HY57HU7060j7D46zI1s10x3L7R..48525nh8sLPxb2..w8rl5YArf7816qv1gY56S834X3mZK4IIre3e41fC1k6J45S99529LPw9yv1087k51068282t78E3Hgsq3A9jt3blI..x55t20BA7xpK20AAT98051D3oO42pIUQ8116Ug2M0K0h99d1h9E0QF7Glw017p36ndchVbv4..9DVhZn4w21pswjk8K9Y2v1..W23p0f8eXl8V08U20jO0s00x18799c930V04xBVS13Kj9x8Rl8Z7U7TG3yb61m3A9Es0825wRl024..
          C:\Users\user\AppData\Local\Temp\42926996\grkdutke.log
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):538
          Entropy (8bit):5.4956415265284875
          Encrypted:false
          SSDEEP:12:Vi+LEl/gjqzXRFDxEIJqwEVNU1fkEVskq+TFxBDcip24AzvKov:VBLauqrtEEz1fNskq+cAFADKy
          MD5:69C2E12C93CF11B56188F941B01DA7B8
          SHA1:16F78D9EAC39095F5A739C7B2FAACB1303581A1B
          SHA-256:E492A1AF16382B8391FA9365BAD3693DC68D8A171AA19AFA90708459E6F1F136
          SHA-512:EC241B94F9721C9E38A1F9C4242B19B41781537EF2A73D1BD57F9A7D578B76A2C276F6F6C843C83EC0E5C3F876AC52949EBA212B253B03228C096CEA786F55A6
          Malicious:false
          Reputation:unknown
          Preview: 7oOf0O58zs677R374561OK5qC7mpkcahO2ST791dSSU7a6..6lc0qxsV9cEFGG0075Z6tJRGEp6yZ447m7Br5eU11R73Unm061K560Am7c567rw5626l5H6EH0egDv..wv30c5Ti7dp70V5e69h0cO56OtkN40IK9uZ8996E..kEQem9Gv0m832sw2E37445qUU5ydd..5ei122X40wB3522Fi4cw22Yndl36AT08E22P5Z9721Me22St175134k8o6ik9867MtN5vN4916067zLDISJf4na77s61946P57a5Q9L8281j99v1Ox3m004478852Pg5..48OO71B8DhpcK3Tjvg1S9S35g712BaO2wKuo480YhQ7cQX33djx74R9D210uMWrh7cjTz2s54hk38w144Atf9HVx2aZ29Q73..AOuN6wV555W4nN86UE78dm8f2wd430YGuNQ5Nx44890Z1CCTH227161g3zt7vhV59xf0477Eg714p0z15H1ly7C0037a6UYioJf65Mc0708..
          C:\Users\user\AppData\Local\Temp\42926996\hbnbumf.ico
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):620
          Entropy (8bit):5.5422947484886045
          Encrypted:false
          SSDEEP:12:fepl9EmceL0Oq2A9DJg0SSr+dQ+YQ13lSeY0Y/DDFU9:fUpeDJTSSriQ9o1SeY0QZU9
          MD5:1919C73E61E57957681F1BD1FDF85C83
          SHA1:2D0725A62BDDACE1D0E3D383D89AA159D901E838
          SHA-256:6C6F2FE2BAA0B45090F5451E54CEABCC04B8B822C66250A7C04FE4DF9694B20F
          SHA-512:4500C06B44B7ADF1B5DC7C10115B7CD2E54157B85F090CB6C1105989113610CE90E3A03D5C9482B33E065C73B1A8905ED9A8BAA6676D0B66CA195B5A3415E7E8
          Malicious:false
          Reputation:unknown
          Preview: SIkg6764sWm2l3WIJH6Q78Ezi460tu1Z57pC4C7e1qXk901t3RsT91R2Vd1BI9g4Wj3d281075m564z9Z7jv7KyMOR9MHwCv5N56c7370tz0F4Se7Q..9j1RaF4mY2239RRlo6q9BZ44oM6Hn21777vQ5g1K3apC8mBE03i96Ms259L7OwS03Nn53034n09pxZlF317wMXxA9410K1461PB51o38v2J6R9h17NJGV1E..64bi31w7jl2..I29T74I21XG0YczP10Cd80mNU27078i4V79Rx28ydQ485N9K81B26Q07plW9w3rT5W22PT..n7z55D2R70e54A1F089S1So2IH22r717qRBeFbp..Z044hOgH5x1H0XV9TKS01ObiE1e0q313p0R5518487iZW27tMEoERRil6C90S1..01VFJ96I8pf..6227b4w6..2T2p64vdE3PlND000etT4w8467j3OC2lkR9r3O8L7knlcMa1P2J22068q7c7clT8s343o9zFOUEG568Go58x07eB04Fo85wsAyOE8l6Sa754x3jib6u13a56MS2349h8Kc2346Z29z00l7JS8rCmI7PjL79f04nLP5FM93Tc..
          C:\Users\user\AppData\Local\Temp\42926996\hfnchgbbo.xl
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):646
          Entropy (8bit):5.443595298898935
          Encrypted:false
          SSDEEP:12:WxyC3WgVsoCK5MTeVmH4CQlJQxdiQ4dS37T3McYX41QkJEOE668wKR43GVEqL02h:YGgqyVmYCQYxUS3nGl8wH3CEa07s1h8y
          MD5:4622EA27860D80356A2C95B906759959
          SHA1:12C5DA2DA50C0C3A76C153BB0DE2213D391B09C7
          SHA-256:CFDE0EF36739DD63F651EC9944BF13AF38DAF9A8426ADF98F23D14D7945245D3
          SHA-512:54A7EB01D5FC0075281AF6D28E434F0748C57A3A946A1E016EC28AC3B1D2099599A4B4AB3CBF428998BB370A6609C35E374C1286EFF2212B0033E35260DD6F1E
          Malicious:false
          Reputation:unknown
          Preview: nli41a823R693jgAmT3wx..9jclU3qG6J088T8..miwT25vE4xztgs7pM5o21N8TcYrA8h2K4988M7D6bSC90Bf0HXg0A950l8EdzzcOK3Mm32A5u0Zo32E5U488H87CA5h983909Tj79bc892WTA5294fe10IkV791w5..v6964L5G588dFS80NjZ2fjqog4Muf74gzLM6nK6Z7SebMO2Cw6P48mJQ83727SW024887ATj0M0r225y9R53a3279H517vOe..79jdx55D497mlc9Uasfl9V8tVMW9e9I33810RH7Eq55z7ZFq0iVB329k0..618j571934J3o0g2QrW9N98tQx4onLRa7B65G4374O9hoO2IO31G49677kmci2u9AmF7wdk5o8w7s6C556V1Jge7C4D6P7S54883893J217H6G055J035G5W459g31mbi29..84QOB11305qzB7Fg1..3f3lo135j985tKI8..1tDVocN4z1089J7w81S716175484269s0407o8X3355569bV7g2hQ864duF8556sx040z4252mg099X4txJ2UlS615S4W40S675eP363WaTcIo1c1yB4G45xM07431917e17Du9Un8g88853jg6Y6Y..
          C:\Users\user\AppData\Local\Temp\42926996\ifst.icm
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):521
          Entropy (8bit):5.4431785971520705
          Encrypted:false
          SSDEEP:12:r0LULkV/31WQMHnHI7uUfshdwIdY4jWW5MSdTU/APBQBXGaKLysn:FLA/3sH0ussLwIi4xOnAPBQlGzLLn
          MD5:745022BF11251404193A08B59C632B63
          SHA1:DD7CA88057967A568045511B287500BE630A1BF6
          SHA-256:84D0BE7CE0472C0B09E8511F183C803ABAEB20E3268244EAE34F3871E7E4E7FA
          SHA-512:74163C541AB9292DD4036A5E028CC7FB19A7ECF67E054D5DFB1A00F0CC9B8B34BCBB6DEE65B91C0DD3838CD523567ADFB54C406F86E9C3B86E1C216CACC12346
          Malicious:false
          Reputation:unknown
          Preview: Jnd515ky83qSv6R0155841797Mqr937376nDS759T813eTn6e620mr5A0198m95mf6NY50D220tSq49kopQ69kgn9eD5pY9sg79XX6v1L26I4594nL4a3Vd329vu..en59B9H5FV6t7Zvzx96560Fk997072ux55Bd29qAi8t66L92zSFQN6546kh2n5U7G12KdCq4mhy0lt..223Mhh342YS2s4Ng1C0AO65e3g3E41h08463y9g1886733cU..0wiR6659B8ow8sc6W73Nvd36F00vL49a7SH0792dg1wr3b3z6742806608j38qmy3W8e23f7R64wa3Lxg504Wp8i3S6iSR5QCg541QO525W8uQg6v8X6tt6P7H7..aI417C1k6L6Y551bopDECnLk99d70qM4cQCn598F0VQg..6oVMe7586lQ7k405a1p79ZN0K196e9nvVt9635yU9sBP65kVK800xESogfPTKe4IjY3797Z2n5CF133D3562z5B24sDo..
          C:\Users\user\AppData\Local\Temp\42926996\kjra.log
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):524
          Entropy (8bit):5.528005365651393
          Encrypted:false
          SSDEEP:12:3smWrPADVS+qdP8fZm2w7D/rBjAOvBRDoN1QcGH1U8wud5A:cmDDVbAzBj3BFonQFT6
          MD5:1F1E59FECF5DF5D67EB5EA8F76757A82
          SHA1:A7583FACAC88C72EBE0153748DBF8F15168C8C0F
          SHA-256:A96E17A36BDDB28D181AB94B1D1A71AD8F9777C3371C622F09572FA48DE98858
          SHA-512:F03DC39ABC911CADF704314DBA7D0F117D3FF8BD8D7E57801AD32844D5827B590E1D6A7D942E60793E5142ED71DA7D4981992554994C164EAD279064617E0CA4
          Malicious:false
          Reputation:unknown
          Preview: DK0gd59THXol0jz39V3969Zy56525I3Ecb959yoJf5pBef7IKl8e9W3E9231W6rgm796JIOe7hY9Jo789gbxbs08t2056W9fZ3hTktljt1jTD93288wG3d28XgCF..981g4155p5753pLJTDDhBH9C0sY88R01HUG30z0tk4qS74xRUeYx0NwZPFy2yhvbK0V5I54603F4407I1vt13v36r9C55x7MS252xi36DP44zRUAE8j237e717uhCr45GHF9YNeR7hB4cG30r2..Z4Jv769401QbYDdN147327cIRW45I872nku9HxK36m05sQHO8605k99IG5ICJIo50r74B1I5389l08E806b4W1K1sdnuCtK75bFr9Cv5kb0n2lVI7..59e6Pl46B6RnFm1pL00739D45E698Dc12weSbR44..13Q33645a631159r08Y37j757PUScsbgm..4R2p82246OE1f2f4P1h166ByQ97NUS7b3v61x17WwCE503Z8yrh4dpW4..
          C:\Users\user\AppData\Local\Temp\42926996\lbmvv.exe
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):574
          Entropy (8bit):5.476882831858443
          Encrypted:false
          SSDEEP:12:Ls1NqtoRYoSRmzT0CEo2SxGoH4l12bYfC6cfHVDU6RjIPpuwrKXSK:gq7oimf0CB2SsoH4f2bY66cdU6RjsPKR
          MD5:5E60119B2669886F999279009DA914AA
          SHA1:47E8ADE1FBA418C5C6D89F91A652B7D465D0982A
          SHA-256:445D2F496120BA52AB586F17CA0060B76529E090C9E6D3B388E2C44E5AAB4D0D
          SHA-512:20881FFC12CA10F7C86FB56231715765E05F60CFC61972C5570167C5C81C89B7FB896D04BD95C68CAC1D28420B0248DA48EA8F1E1FB1023DC20DF2FF00D33EE5
          Malicious:false
          Reputation:unknown
          Preview: 6w027Sdr9mL4M70UIk9cv5m26300444H3VA83w7354nx4eL7k62Pkwo..Iq11M7W494896K2ArX3782Jdu74a8ZM091G9T9LHmeg01dbH09S..4N44i997N2168..7hj0LtC6mn800M0709T8461201TpC36T01Yg3D5YHt3s72t8rT12C0A50MpWrgP7ee9bSe25Y7Vz6223c6kS60FgdIZ1F5796D7..QVc5L3Y20IDip47T746RW7P2u45549Vc29p568D91lle0180K3E641qn0F6Si883j105484PR11dW042o..2NwB14oMr853249j6759a10YB031yRhC33wcU5oysj2jna86vtE4kl8n4h79dUA53vKF7i9e6AIq7cdzz667L..IhB6Q39BM9V0267a7qwoC813p0cB1j466THoh310JmZ5V725Q25tIk5C7k68q7e4tM4tly2kv2nDlOxQp76R9g..3t358M9ngPD5CV321HR0Fj0F0BC1B54pvEun20376D55p7X071W9w9050SQG0e7quA9Mv94C000qILc33CfgB27z..
          C:\Users\user\AppData\Local\Temp\42926996\miwpdssknh.msc
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):590
          Entropy (8bit):5.498198413930072
          Encrypted:false
          SSDEEP:12:1uO7nuPKbGfQXmBo2N1j2IxuavYBMz5SYEf94ncojOX8:1uO7k1Bo27SavsMz54fEhOX8
          MD5:7E44ED3E3F35671005625036A8C6FA5F
          SHA1:DDE31F00B9EDDA3A43A97F013930DF5580CC9D0A
          SHA-256:86E93351ED56297C38ABBEEFDEB5774C521A7A9AE0C1A0026F1111040BC47D60
          SHA-512:62B6F21650ADA4782F65C09A33A8BAE5E9C83478C3CB8254D9FBEC54E2650C691E46DA00D3D8DE6C32D45C6C1E91077BEF867C6876E27F58609919182FE32CA3
          Malicious:false
          Reputation:unknown
          Preview: 978l4g9T29D..1R3718Gh1QX7034hO157Lm65k7d1WG4v2XZT33XxJ06TB1dhM7J2VrPrFa7mP9C79mV0ED0jW4e2l1h85X6859515z9h2dzUN4c58MW06U39kpR91Wj82c..f5xE3oAunY34H3M6G61PR0j50g8e0A1159y88xl14HGs7fY8Rgc28919nA60tScp4986sdZP5F21a0767gU8..gSL0746aEy34s8s681o83959Ja73Xx2n23cSA569v99m9w7w5198N0k888yt939d5Q6R280nl5r03w2yHm3Ws4Vp6s618nai0GY6..FCRvgc7OR3J79C6dQ54G39oo87s95Aog4n2p4hG15IQ30A26L39rE761nmTZiJoI591N369f82W821l9ydif644HaT5av1IR11Eb894a4z8447A5fBz468STol7FgmTJ6O4zT2qwx5O328b1H808w8..88aJjU5mH57Qf9RJ29Hy1Ol57i5VD7BHC138xuw3RkiEzDfxv08C13317749Hr5B35kQX1iFI6n8u4j264150aJ8X6VV7vNfhtZV9v49765B690u56P..
          C:\Users\user\AppData\Local\Temp\42926996\movg.mp3
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):507
          Entropy (8bit):5.5028954520443465
          Encrypted:false
          SSDEEP:12:+ikTNSNWhkTk4BXfbIwO86SBWAGvJiZCgiRnpYF:4SPPbIwBLZGvk
          MD5:72B74DE7322DDB09C5D3A61BD25BF679
          SHA1:53BB1720B7F09DA2B88AF19B3D40CB4DDEC9272A
          SHA-256:FB155D6C46F4A9A431F8C93F072BF49A55B9A788CA922A16EE966976B5D0CAE0
          SHA-512:1937D98877EDE2D3E30FB87317451FD8DE3F96D575187F2DDE1284CEF48D665081CE938D2905B5DE39AA3549228B83396423DD0DCADA076AD3369FCD4CF551D1
          Malicious:false
          Reputation:unknown
          Preview: PCo2eg9U7325..zvEnNXmsAqeH..4lV7ckhs889z6P5777D8uBD7GBR24tdo0199m1D41j0gU34D1x5IkA032igV8RfXA769eWYP36d33kC305dW63v1Ru348U2D91499T60amrA65V75wNdkzs..ow954018wH2Lkq53cbH0640s4SPB28n7UgrPZzJUp29mj6pQ2jU9d02u15kIB6s20d2i3W657u590RM5U101M5L56RcSu6u63m..22z87UFh9k584ZwT0SzqD4C47l3FK64URYh9q4M083746eo8Y8X455Ghj12FI8F9I17zg0OyU24pFiv0187s..5kzcQ3N9870HY0N4870N3s185t553h561G3372780Aq9Y22LYEE4C4q303696e6Vik89j7y0i5sdG6G336oyS9ymcIk052mO0084c100JfLxUs1D7k176813g661I11p42jZm..Sd414Q5C71O2h34XPbNY2I388VwHkTKk9Y8..
          C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):855280
          Entropy (8bit):6.394628658129692
          Encrypted:false
          SSDEEP:12288:8BzZm7d9AZAYJVB7ii/XAvKxRJBnwvogSJ4M4G4aBgZ7u/8u5DGDt2:ucneJVBvXAvwRJdwvZ5aGzu5DGR2
          MD5:7C81E999E91D1D0F772010DFA4C34923
          SHA1:76CAADC92346688B50A408B6C48017563A24844F
          SHA-256:73A52A4C60D253CCDB79E5D50814D1689A49FD85F9E0A40A0DC57BA7FB54E5C0
          SHA-512:EE5777AAFC4B568465B85322BA6FFCF0A38ECADDE6274A2E4FDF440CF2EA061762A4B07EEB9A5B40B61D8BF3DAB91871715BC5E64DA74768F0BE342B1F79AE27
          Malicious:true
          Antivirus:
          • Antivirus: Metadefender, Detection: 23%, Browse
          • Antivirus: ReversingLabs, Detection: 29%
          Reputation:unknown
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O.........."..................d....... ....@..........................`............@...@.......@.........................T........%...........D...........c................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc....%.......&...R..............@..@.reloc...u.......v...x..............@..B................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\42926996\nlcno.gge
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
          Category:dropped
          Size (bytes):127058776
          Entropy (8bit):7.046934448053015
          Encrypted:false
          SSDEEP:196608:dHzjoiE/XUnPtU0aQcLqutJQpBFSf+3sdH7zYagPjPKzi4hpKR8tOZA9ZKW76+wy:y
          MD5:92361A2C6EEA87C6307831A666FA7D2C
          SHA1:63AB641C55862BCFA206961541F76F880DA724E1
          SHA-256:971FC12991949A36D791C0E78F3C2AF5E8F2F12220C875D196CEEA03541F6E11
          SHA-512:4A9E383AB333DFCC1098F703F8716967AFB5938B47796CD1B3C77162AF7A6713967483FECE000211703B581DA2F5738364D2EDBB1F77269FC7D5BDE935D347AF
          Malicious:false
          Reputation:unknown
          Preview: ..;....F............H.)...b].7p.10X..i....0Ze.j...u.b..T...Z.84.....t..>...........E../..nG.%].....<....Ul..N%......j.G-.z..T......#.c.s...H.u>.o..... ..=<.p......y..g....C7.bog....x..4VX....~..W..U....0..\.1..1.D..p.....9.1.6.4.M.0.8.X.2.h.1.p.5.1.E.8.i.p.7.X.4.s.4.9.3.G.m.0.0.3.5.0.c.7.L.f.c.W.9.2.5.......r.@..>O...A.'.a.O.W..=3...b.i....(....SPB..DF.|^a.%.N..hL>.y.B.....'2_.4U.2..8....J..e.....[......y2E&.....f......#.$&j.R..R....d..vP.D/_N..S=........hS2..C....'..UK0....1....%3m.b...6..1l.Q. .Z..5...7.....g8.......i.W..h.H)MF.-... 6%.b$.*;....W..c..T..,.oX*[b q..y.8....#K............z...n. .......r./b.....,vFj.H..F.Uk.jk#`.'..L..........F..D............E.G..Y..6f6@g.c..J....@e.;...Q_.hZ......D.v..4.%...Ru........<.8..J..C.z...c...u.......'=5.....x...i....N.~.**B..t.w.j.#.C.v.......".].w..)z.6.r.+.j..._.{.J..... ...+.w...4........#,6Gj2.j'.c....'...;.JwZ....r.Y.6.Y.q.L.5.1.7.C.j.9.5.l.6.m.s.8.3.N.9.T.....~l.~...........'...d...3.U.^)....H
          C:\Users\user\AppData\Local\Temp\42926996\oglqugsxk.cpl
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):571
          Entropy (8bit):5.449934915839515
          Encrypted:false
          SSDEEP:
          MD5:CF085B6E054EDDF34B1EA65EC358E493
          SHA1:0A4E8F79E20562A700BE4398A08B9731D0372AB3
          SHA-256:D7F0516C623C0CF7AA93F4A440682AFBA44C46559C47FE1BCAE53EE2B69678E2
          SHA-512:55702C9025B1B8E40F724B12A72D70F10251E4F946ABA32EFCC17762B90437A084F0610E0C1BEC2E412A94E30DE46559DF9920DFCDD36192B7792739B08249B3
          Malicious:false
          Reputation:unknown
          Preview: s1002R7ZKDEsd8Q3M9J23D2j7p29X38TJN7j3K5xto53bm4a6V34WY332G44n243KbE7iy4038r3QD2eLj10559FS3C4492M0Y9ZWQY4P6te63Kqg9HBY022Qo4793Po24j1l9131W4T60K5NZri42KS5ZBKA6759wR..4nF37Cj0cWm72X0YS68NwcEa764v073Ixhwx39m0450K2K12ky8o714Z30S2Gc676tpVtoTSi0a126P7q13362Dl2u46sbBD491yr1336U894RG9c1J6t7B768A78s3b8516eNFn66y3L10sVoZi5t3138U5sz7YK1501Y75Qo595AT5JZ7..g3S0HTyQmz697jo1O0K08G7517r26P9JM367c62bT0a417225RR531L4KF5Z2G..5J0v6Hm213MO5rB4JW458xAx8cd45M82o0yy70rkWxm55N5KH2C5I65d6P96o..9bl81C0om64s751Jks4Dry5OnVl66s1t6482A3374pb5y33R7xn755I0zu4RaR63T2ZSC8eF9WR66l9bf8pGGVdx9Ss1Dl90..
          C:\Users\user\AppData\Local\Temp\42926996\osmphj.xml
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with very long lines, with CRLF line terminators
          Category:dropped
          Size (bytes):491927
          Entropy (8bit):4.409452520509473
          Encrypted:false
          SSDEEP:
          MD5:1FC724968D0BF0390A4AEFBF97D8DE8C
          SHA1:EA72BD83EDD43EC5D44722355A90F5DAC04C5DEA
          SHA-256:CB686EADCFC96AF6C8ABDF3C8C71F498D51045784ADAA62504EFA8146481739C
          SHA-512:2D566754A67A516DAA3081B8319A869060E78D5BCEB190F36450B7F115528CFD681A582550A5B9462360E1358D21C946836D25E6DBEC15E426B2094AF89F2D8B
          Malicious:false
          Reputation:unknown
          Preview: 800o4TBqPL2E57v4TVP0569e4H9F095v6A8Gthsj899op0MJ..94080jmj..0bykqpX17Ef5ggQ7P9HF4..ieK1081zi31IPAp06z6123s2EG8Oa7UhCw2t684C6p7O38K4YAY6Df..67N966f5645ZQ5FTV9D16OG61GQKxn4W4tvaukw0qlDIdS5fR2iW9qC3O73702Ojdx4..8DZpHCc1Z305115A434s1kX007118pqq85l993Scb4a62iu8MkW1X0V20d4T5r9X..I2229H6853mHz0Pj2lMK877764nW47r5Si5GVMR..6O88xk22c7V74163w7la6o1OCs0d5fd31HrMqlhf..S73522aN1907A6d2w40vmef270693yt..412054L8Io64598685063069cS772UD0436Jz38AO3GV7f7fSP98n5YKhx5JZ3u0406Zw5AIlK368A15..sl3bk3Q0gMX74heeo3E3u2a67Tx02ce0c87gq8yN508156I7LY6R5mAF9g21J2LQ718567OCzp1G7Y0g2F8..m783t3Q3ac2ngukZ6x409A74U5529uGQ1dSSEl6B1Za9Jw67DS8g3be724mdB193m2AXDxYcadAQf60..31ERYW422T134WW442o5040uh7e9078fA046v5kL4184F11je27c547r03b897QX33..5M7i6r180147z1tB3X58gq2K4ZK2v636eg609YYdM8w37Cg4UX4o30uu0D3545C6nz3GpZvK..rl20K88sV9376v7EdL90Ho7222l7xE997..eY5i9q203Y284l31R998E3ec7f90oq2J2wId680G3z2y277p9vS4L1..L89654bm016AIj47m7S3S54f2aS0vt9..21252L3a2544m292vQe92J6sR1j81vVa5W7999kp7jV05lmW2818W6KQR9Mq30V72389Q0QQTG5..L4451m1WU574i6B1YhF
          C:\Users\user\AppData\Local\Temp\42926996\pxoxuqd.mp3
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):512
          Entropy (8bit):5.408101591607319
          Encrypted:false
          SSDEEP:
          MD5:2A8111F27A0B2DE0EA3147A7A525B60A
          SHA1:24CE7AB45455E8723260750FDA7E921828285CA4
          SHA-256:68287F784D6DB192934DDC2037BD35DBC4CE86D7932FB8A6144F176ED8A3C529
          SHA-512:B31EB7E7A2DB36452372BE51CB679E3BFFAAC17C96D90935660A4A27BC22865A55004C52A2758E37B1EAAA9BAE4FFD8E461CB5314B4FB03BC5033CB431475AF7
          Malicious:false
          Reputation:unknown
          Preview: 0meN933b6T4BP9GbAOo6f..86ee68vDp477b982W8gt4i2zvR046732632PIB66Q9yDUn4sD9ayMmM..C0p1i0cD8m24uG9c4838yWG33S75b15SH6v5S98O06gY7tKbp65WBv3j62Oc84S5106ZHj57t7yb695w009DGr34D93..26iBd99YD4z5x3EG1DeZ9K14858sGcEe8466l3plrT5LC5Bl2N2S4R103Hh3lW5156..M2FZ1eFz6H204EmK89741n3t51D58gd3Ta1727058W58j0092r7e44U322sp98p0p9n6aXLkqk3zt44097Pn2Vm5K4827wFb..t94BK66Fy32t8..i9a166heyi0G6e1W2D7h2D20d079M8H13i9A01g95Plc3UjwxB560nGB78G89i5NZ9ge41699D9vR0U8KG5d629b871S428H8w80Ed1..8Q8v56MpgFP07B5911976Pu6960JT10ADT8c1dSt7D464J1NyCv..
          C:\Users\user\AppData\Local\Temp\42926996\qbfcdn.ini
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):528
          Entropy (8bit):5.451436816252411
          Encrypted:false
          SSDEEP:
          MD5:3DB4894C43392B664A37F1A8B4C932FD
          SHA1:F5B3978E81964AA29DB40E7EE757D084B6311C97
          SHA-256:25758D73FDA9A55FB2ED6ED00FD0792EF1265958B0491F95BBBE47C4C5D4243C
          SHA-512:DBCE3DDAAF70295484DD837C13E82D7954C6DB5014038D811700E6E917238EFD3122EAFEB1D64CE51D28B72619BC2157D958AD67C2D0B2E1BF33ADCE1F7DCEAC
          Malicious:false
          Reputation:unknown
          Preview: 50vwc81cTX6297A32v63kp090116PaG02K3P9r2108DJWu0lA0m41K36t04FUXN8N7zf36oQ6e0W53r8vaSS23O51v33tQdW094UMO98150O680L..w0350707LfZ307AA4ZVGv61kv07KrvEb3i3N95..o3Q809DRj4p8T36505rzWwa0506005ns79078gE0a70j3t55i5I3lXQ5V2w1n4JdbJvK92Ruj82Rs163JpVowUeX88amP3FgVLG1Y7m0P879t..4R8U3g26L4m4jhScJCW2mlgyfy92aR82c0CP0VtmBb6i4P95V0VM2923uw9Atq2U2HmQp90k4Zwm913c724SjUR75Se3l9Np1obb1768uc1..I9ue6Ha4H3vi8P431P4K8dFRU0921613lF5a9yg3N7m3GR9un0fbgFG4JkO8897IG9388lT5z48p..4n6576298Kl4039jc000ql43gF3662ob8j32K1h4LP23QW8U53723fax9825n10z8168637146..
          C:\Users\user\AppData\Local\Temp\42926996\qqnevdri.mp3
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):551
          Entropy (8bit):5.430749806877986
          Encrypted:false
          SSDEEP:
          MD5:27D65CC4AF528CB21FB2B413D4AB5844
          SHA1:BEADD1DEB8E398574ACB2A1502357C670648E089
          SHA-256:C33D4B875023C27F725707B6F365F9E5DAB4207490FFE81E64FDBF98960FCEED
          SHA-512:BBB050F35A374FFE15A0790D6D15708F5C638873E2EC2C9AE27AFB27922F059C11048168F77E9013BD8638CB901AE358C59EBB09D76B55670E53ACB81A13B6F2
          Malicious:false
          Reputation:unknown
          Preview: nLvFD941P4OnW2983tw8y2g56L8Yk422SE2nE94yu7j7045KR9A4493r3H1C6cI861S1x..PTrD1Z0119751ed92Z7wSAtto6R14Te29k52582L061d345a4a9uOzA5Q5ePF35326ZF..9BJ49089907676Q5kV6737F5xs9T5gdXLL988V3gW899V84HrvL6n09BqqxR674564123I98ZVrV0ti67R1P7X2BT926A16t35ex90351W2g80735J48urB76R54lT87MXu39ZkB2W3..U6tV3s701x7q7Xj17d2O0Ig..uJ8j08n0g9So0umQn3jzf280CKO3AMK4267RY02358J1e21f5735..Wu640p4N27H02N4gYJ35j287P3dY16V9wEf902w06e70976Mlz4ACK390i7g960G2JJ58Lw965V7X89Nd5DLkm5W7Baz5i4Ys7J5Y973zc75u77Ob89224M35o8l4C598O241Ee1f19hO93Jp22e8Qm002Nlfg6fqrU2i6y25e5kE8FbCE03H76Uhzh0..
          C:\Users\user\AppData\Local\Temp\42926996\shobbgka.dll
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):591
          Entropy (8bit):5.514752960740008
          Encrypted:false
          SSDEEP:
          MD5:FB8633E239A437B6DD04D393AF0A9DC0
          SHA1:8311C0A918CD5D065582451AB266F35F8601AA9C
          SHA-256:5DB471159EA29EE26D76B8798A663C56EC8D1128803C283DD5404E7172B46276
          SHA-512:EDF48BD307B69B238B916F948187ABCBA72F99FBDAF88DC142EEE0D6B43D1A22DB6D1519104EA1A88064E3B983DE8F266A41DE57D82C429218E1721450DA575D
          Malicious:false
          Reputation:unknown
          Preview: kYK25871oN296Ce735rU8e6e6gM78006092cmk457W9QLCa8W621I6580CmC19qG203y0MY1J9..53UoWtw9R7cFjdSX1wH439p285TI69DcOi36345Q8H0ZE8B2Prm9I34y42W0A..2knJdan8D5n0w1OuPAO7sMQy6FA17..a7T2lq7v45i..oXq84147m5GcAJ0933bR..IbwR538e846pD05FpJ743J164WF6ot970NO714FaPgs525e144uz600RW1m11u8ni1Z3mV30004bgR2K57fg8xflp20r785PBw879vU2486ZL344I7i10..i236B25h71e39K1IHSu53WKofVPH8hHv5Z01u9O729x5d08QzL81R1ODbl2zw70e083y72V22O0t688p01B1961f44TK4600fJjc65p..h76d725f204eYBi16QdSn..3X54x..yX1l41q85l6a5U2Yh3332vua3YbaB89UWNIyuk86e46X11X3t24n4Wm63a7D320sY4PAg36iL1O73l5225s1xb4X0zWa913ERf6RWf88989nhb46j5kG4228S3U5W2uBn9..
          C:\Users\user\AppData\Local\Temp\42926996\thpdqkp.pdf
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):510
          Entropy (8bit):5.519377268156367
          Encrypted:false
          SSDEEP:
          MD5:083A56319C90AC888FA43E325AABB387
          SHA1:21FBCD1112593525F29A825863303B98C3C831E2
          SHA-256:9EA121439F1BB0B856A93760A2C99ED8568B30F193D0897F697C64D66541B6F9
          SHA-512:2393BE1E7CEDD27AD07CCF54D3D9161CCDCFD27AABF602857D8B7190C61C6C522350C38C80F6CF3E6DFAD329E20018948D1004997431E3432976D2620EA80521
          Malicious:false
          Reputation:unknown
          Preview: 4X3QNA8qnst394Z357cI6053ImJvWx1PfzV1bOFe184t21qB59YXu8m03v6pO..D89MY60q27646Q77C198hcEEZ479KC2O64v6m00vwi64tdTSyKJT1t0dHqU2W9p7kNJ85..r1j19007s0xz91Cp82C95g486..546S4o65rww14M4go0c0c68sJ5D061925w3V5l452h2745LB6G939iwuAH66874Ic1eZz61vVf2Oq0EM79efc55Qhg90f029..5kCTL0klo84jY5pqi298cAL1A1B844u5922Dh821S3596P9RE9Czc42G4966h380bD245EU561J1AB7g6M731LeR5Ro8dXlTJ6lfS324565Y11VZ9Qj0cNC3w501oRSYdO2Zz94n56629..9P5Y0bFoGUE96G9W8Ce5P78kK0Kk0sy4td2N53Ia5gA1oydpK4XO01BiR28u3P..59K5n25..r71916779X8p56Fh5wE16Os..2o9bUvI1..
          C:\Users\user\AppData\Local\Temp\42926996\ukudgfq.xml
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):525
          Entropy (8bit):5.473572389146889
          Encrypted:false
          SSDEEP:
          MD5:EFC5299F3B16950EC2D874A4025ADA59
          SHA1:E10316D89FD25B136CA01FF70C955BC82DC39B2D
          SHA-256:C857B3F2573C1E58D33950FD32362921293E1CFEF7F626FA0A5D6BB0F807D17D
          SHA-512:D66128915C587797DC5C0F39982003815AAEA7A80618B3EBC986FA6CE695FAD651A803036E11B375B00AB31505CFFC74E6F8116736589A1E2D054D0A4DC82417
          Malicious:false
          Reputation:unknown
          Preview: 5nB17086a7zSkGd9on4FE276cqzE22eL27kx16181C0Pl9vQ76O63iU3V88Z16zx03v59G40q25R6cD7tg5m3fK9TW44d..Co0k8Y0h1J4WwnqF4Hx42z510Fm9506Hnt1g7HO53ZEDWDmGaPy867b92d0Z8ZP6ic4J15y0f5816d149rd4aL6MeeCO979p33930E37B2np3J1qf4adaROP0ug35dQ0F236N..4MFj3hfl945Z91dkxeD68B0g01ut31235pMU118u2V9qI6vrh71..242513u8WmS8t7R46L0b564Rg3om7277RicwbE04490R6i972s2hKM15FRFwsIy49G3bF85S373lL855e5VK769O79jwHq007eV44H91xu3wB6227a7p2c0L3h17lC962s99781BS96v7O64664pe7W6K91pO91c6A08205..1i2B16h12A8nZM1Xk1F048X7r57AddvO9868B175I7aruY17j240H8GM38fe6Ggg95FrQC2..
          C:\Users\user\AppData\Local\Temp\42926996\uobpsvii.dat
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):567
          Entropy (8bit):5.367499746051203
          Encrypted:false
          SSDEEP:
          MD5:690BF341B7ECAE1D001856FC5197EC58
          SHA1:30BF5F660B39908575DA05C20EBE7F3D2644B1AF
          SHA-256:C2544CEF2E10F78AAF1849FB8630DDCD3F55BF314F1187BA4EBD580DC45B94E0
          SHA-512:8EA6D62596517C66400CA9BCD0A2B749ECCBDC273FCF83FAFA9ED80878DD69B335A63E8CC0AB4AF48F6BEC03E7379CE33E9CC3C6C073DC8FF57841570CC0BF7C
          Malicious:false
          Reputation:unknown
          Preview: nf12iBB5483S5V8b63HY85m8Zemmu29GZkt23UW2o3L63740E14334Z62F99A..98304Tb5X64..3I829jY27d46wCp9Mt2U5j0U10x22wD69r3PK5x9f8e48MZ3i3O9m7G1T7751vcTo1n78fy15160D981240ek08620ZQlITZh27220YQ1..RCI8Gy6g128..2hSV32c1B99Y6382Sui227JA9Bh752x1aF8..7WdA0lxjy8713tEr09T50X14j8d3Ga4EFMU683820193RRb05L0T0353Y5676614gLs2Fqtef9059mm471Ewd7k864y45B86fX3T50O98208fh7999Wh3F8ox3TnSz76n0JaA16G3yA2n7X874z9037hfD55t4668S6..xiO4gfb087AfiQ69j6222L95c888ym497h11snsA4IH89O5w0Ht1rO192362u3uX6B160zTsIZ1N4mTQY..6Y736fcD2ff0u0F222m15t2v681ED3OW9I6C0J631W8nEOeXyj5o5cNe74N2S0022274W1630AI26403160F..
          C:\Users\user\AppData\Local\Temp\42926996\urbtqojdqc.jpg
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):530
          Entropy (8bit):5.49698261418081
          Encrypted:false
          SSDEEP:
          MD5:5766C274DE702CA72DF424B24CC29E23
          SHA1:39B4D297590E5C68D8260CCB6C842FF66AD27B81
          SHA-256:E1BD1D686B52D783C8320752FF98988948B1C4651F318BFD12AE19E9F5E3F934
          SHA-512:EA774FC1991C9CBC77140DE3F147898606A29D69FF040894CC0AB22B4DC8681D476C6E9EF55FAF2AAF13AF04DF296550AB3D5B87F55A52C6F8AC905478A643C8
          Malicious:false
          Reputation:unknown
          Preview: aryaYzMV1x9U07x2t4y4nK2yk6GRZ00422gfoNT6q93E782G03Cr6BfkD67268R3Hqr7V154Oi7964CtblL1uG73r4C61ft9fZC722d7129r84anmP215k2o7xQbcMa3..8LogxVgXFy1063y39CmkByv75BJJF8zSu0DbX8i819525RVDN3o5s0K126otOB49jh90DK8CwVUNH9K48m1N281662950y637M497078Dvh09Fu6fJ..3g5uP535934G04KB2VtNq3TRmwYQ04kH90n55rneNYc65v51b1e776453L8s2B2Ed18655z2hf4ySKB100g3Y8GH2E2SI5j71jEH3VXj7uDBN4..60RC5U9Tj62n7yN819VrN4480lh4BVv1956x80iJOC38J7Auy282t662O0tY9M03199BU6y4K23m5eE75s7g92W50J96e674V24Z45n38Pfiz..FfoYVs1FV6Nby94r2893K4Az1Q90vN2i2c125b07pSz4mi170as70N44R0S..
          C:\Users\user\AppData\Local\Temp\42926996\wgvn.ico
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):514
          Entropy (8bit):5.447096286891588
          Encrypted:false
          SSDEEP:
          MD5:CE265A5F7AFC99949B591F0034A9E8E8
          SHA1:D1C0810CEB4EFC47FD096B0F4961F0282100ACCD
          SHA-256:602B62FA3EF9C041EA580C6C4149EB997821EE3BDE455A6416D830E5DD1F3F2F
          SHA-512:B8DCD51303B664BBC1BEA2C9C52B49D8F2E5C42B99C822CA12AEACE5998D634D704B1F6F3FC02C0B188517641E36BE17AE8EA906EA34D681DCCF4D8FF2500AC3
          Malicious:false
          Reputation:unknown
          Preview: 4r0d985H687657gzTfA142d134qK33t600BqZ1G4t97G73i0bs491e37F4EP8Ga563EWh9iga64489e9n20jLma88H597ur705cj0QRB88Xw060S4C59pdV607S008e48..274fJ1VYk22NGA69xPzg233Q9bqA7M420907OB968Oy9LZQOnC61F1K10p0D92c3103VO3OyHs7m99wvE36389V51oVA0..7Cl3aGZ3V7Tz6z4z12w061316502YSe9A4E2Lr4525nja31sq9392vJ8oXtZ5G1f517i2T1sYz24V3BS4K11X60pAn3V52907490014t5Ib8xjPc76T5r143p32J..G884w34F4za2Dt615888KAY4v89huUh4ic2c904jfdrS9lPQQ8mHWPJ4pk836SeNqwlm1lau410js34n8PvI8k6S487jT2qZ92nvK46t8z793kf6a1P8BEG9EGO7t4OUOK8eqk80..n8412P6639y8POa425srD0..
          C:\Users\user\AppData\Local\Temp\42926996\wmlwvee.icm
          Process:C:\Users\user\Desktop\mzyDSLb1u9.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):567
          Entropy (8bit):5.490641957756693
          Encrypted:false
          SSDEEP:
          MD5:C8160408AD877D37FDC8C63CF6AE7CA5
          SHA1:943E7ACBF7DFBACFA3905EE4DB8EF10775F8D487
          SHA-256:9C9F59702F59B2FE573979814C465EFDBA277F21607B6A36CBF68C936A49B924
          SHA-512:3CC4DE58ABEC68011E66769EAB6FE4088C5B84A3959EE2A536A10E8A7A463BC63E21FA9EFA7C0C00BA85B933D3520D625C3404F1DE69C0CF0DCA8D3BB090F46E
          Malicious:false
          Reputation:unknown
          Preview: Lth83z375608nR0W2635Lp7fB86ybEs9Ipm6x0JOyiZ83L6f3z615dvO2VtU52Q0F631B89600K67d2w0uk4hF9413in81I1MO9Xp70B..bNWh13aF374J7bKYZnhBjBk421K4y54ub3D1982h31sPKP2jps830IEm9k3A6157LIRu3b739MH021G67o82jrYiTF0kf37M..3B066Vju0RuYS562V478p6YbT..3x8wgCk6353Ag27hALe1qzJE..j8o86VuHbh1BpRpf64BW8fnNbMM22LzSh948F8Q8RS3ZuTb92W96ega1437T1QP6094x78A013u91Fgs98GvP0688xuD30I86GV08pV0k44277RAw1j9C21E89..3KK77994W653EW49H067C0Sx0l71X9l784N7lKK3681u9w9r4y59n118c14Up24..kVizW7GI4G4308ob2a018Nuy8a4n4rv..9Z8PIq223ocdBP7kEl4h70ks91669w51F178KsV7YsFG255uE630Fh0115e381mR702Wz6pj936MgfFS279Z1l..
          C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Process:C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif
          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):45152
          Entropy (8bit):6.149629800481177
          Encrypted:false
          SSDEEP:
          MD5:2867A3817C9245F7CF518524DFD18F28
          SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
          SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
          SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
          Malicious:true
          Antivirus:
          • Antivirus: Metadefender, Detection: 0%, Browse
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
          C:\Users\user\AppData\Local\Temp\tmpD629.tmp
          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1308
          Entropy (8bit):5.103583470672722
          Encrypted:false
          SSDEEP:
          MD5:990B7A403BC76992021F9FA8008904F2
          SHA1:42911051D889BC22633FB4EC99794202975260A8
          SHA-256:2C4DC85A9C8127D7F864AB718245EBC0C5B625C04837AC84E012429E956936EE
          SHA-512:C5FF697E356C84B83D18952A5EDA27E225E649B89F8E43BEE565C6DFC87B12D15D8AD0698C03D6915786120042DABFBCB11493E233B8B3B2742EE8C0C5E4A09C
          Malicious:true
          Reputation:unknown
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
          C:\Users\user\AppData\Local\Temp\tmpDA12.tmp
          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1310
          Entropy (8bit):5.109425792877704
          Encrypted:false
          SSDEEP:
          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
          Malicious:false
          Reputation:unknown
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          File Type:Non-ISO extended-ASCII text, with no line terminators
          Category:dropped
          Size (bytes):8
          Entropy (8bit):3.0
          Encrypted:false
          SSDEEP:
          MD5:EF7DF6C58626F07283BD6EF32DD88723
          SHA1:6242A65E99D003E1D488C91B5AB6FEBE93E6B2A1
          SHA-256:3D834F7BE4A8CFE63C334B3F61B7A4DC367EBE223A81CA31D28F85A8D305710A
          SHA-512:B005C37DF518466CC17300F731177D0A595AF5589941C85F25C042F43D87EE43519AD0F650B202094E728ED5F1C7ED5D4E2D20332189AA870284974539DF2EA1
          Malicious:true
          Reputation:unknown
          Preview: Y....L.H
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):45
          Entropy (8bit):4.324534762707879
          Encrypted:false
          SSDEEP:
          MD5:47370DB2229FE5D11F48C7C4DCF1D3DA
          SHA1:02F189B1593B564FAF6B30C1573A6C4156EEA2B8
          SHA-256:8DA13D1ABADD97A50839C4237102C680E32B80F56B8B594ACC289D603779F743
          SHA-512:0FAE24E7BA758031C3850E96BFB9F93B71E9CDF886A83F83F8B0BB57C76403DA0563E3B9117360968AA279927EB7FB8F77BA48B446635E60D159AFFB96979550
          Malicious:false
          Reputation:unknown
          Preview: C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          C:\Users\user\temp\osmphj.xml
          Process:C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):75
          Entropy (8bit):4.876817484945778
          Encrypted:false
          SSDEEP:
          MD5:4D73E5FEE5042E52A2E24A33B2E2A030
          SHA1:699961AE1A3D3C0ABA1D7C5D00A00688B5C30A70
          SHA-256:A214B4565266B8E2758372703467765341D9A972D9E602DECF593A50E7827096
          SHA-512:31E6A516A9B6681626042B11BDE7A07848955189E22D0465B7D9892776BDF1563F2A5F48CD2D990642354BD375AF298B03AD87A68B483E04F0888886122AA34B
          Malicious:false
          Reputation:unknown
          Preview: [S3tt!ng]..stpth=%temp%..Key=Chrome..Dir3ctory=42926996..ExE_c=mssvgt.pif..
          \Device\ConDrv
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1141
          Entropy (8bit):4.44831826838854
          Encrypted:false
          SSDEEP:
          MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
          SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
          SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
          SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
          Malicious:false
          Reputation:unknown
          Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.837252000939896
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:mzyDSLb1u9.exe
          File size:1105214
          MD5:922bbf421cd0c9b155f45388db7c8718
          SHA1:993cd3bc36c7d903846cf9ee4fb1e8e01dec4947
          SHA256:1bf63394fcf232d3a303d17df87252e2f47c43205edadc99ed15a50c9e193ebc
          SHA512:1af0064f0524fd93ee173467b490a407e3d4f43ce97a0d0fa599964f4ad787b302155b3e0d859f8fb2dbaacc99ab399cd7b368011d29f61e6981f05396ec3bf9
          SSDEEP:24576:BAOcZpJ/cpMh+itmP6UvJmoSSvVUYG4Y7:bLRit6YoSyVUYG4I
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

          File Icon

          Icon Hash:1ab8e6e663d6c77a

          Static PE Info

          General

          Entrypoint:0x41e1f9
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x5E7C7DC7 [Thu Mar 26 10:02:47 2020 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

          Entrypoint Preview

          Instruction
          call 00007F9B4883074Fh
          jmp 00007F9B48830143h
          cmp ecx, dword ptr [0043D668h]
          jne 00007F9B488302B5h
          ret
          jmp 00007F9B488308C5h
          ret
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 00433068h
          mov dword ptr [ecx], 00434284h
          ret
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007F9B488236C1h
          mov dword ptr [esi], 00434290h
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 00434298h
          mov dword ptr [ecx], 00434290h
          ret
          lea eax, dword ptr [ecx+04h]
          mov dword ptr [ecx], 00434278h
          push eax
          call 00007F9B4883345Dh
          pop ecx
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 00434278h
          push eax
          call 00007F9B48833446h
          test byte ptr [ebp+08h], 00000001h
          pop ecx
          je 00007F9B488302BCh
          push 0000000Ch
          push esi
          call 00007F9B4882F87Fh
          pop ecx
          pop ecx
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          push ebp
          mov ebp, esp
          sub esp, 0Ch
          lea ecx, dword ptr [ebp-0Ch]
          call 00007F9B4883021Eh
          push 0043A410h
          lea eax, dword ptr [ebp-0Ch]
          push eax
          call 00007F9B48832B45h
          int3
          push ebp
          mov ebp, esp
          sub esp, 0Ch

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [EXP] VS2015 UPD3.1 build 24215
          • [LNK] VS2015 UPD3.1 build 24215
          • [IMP] VS2008 SP1 build 30729
          • [C++] VS2015 UPD3.1 build 24215
          • [RES] VS2015 UPD3 build 24213

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x3b5400x34.rdata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x3b5740x3c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x57e8.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x680000x210c.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x397d00x54.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x342180x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x320000x260.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3aaec0x120.rdata
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x305810x30600False0.589268410853data6.70021125825IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rdata0x320000xa3320xa400False0.455030487805data5.23888424127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x3d0000x238b00x1200False0.368272569444data3.83993526939IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .gfids0x610000xe80x200False0.333984375data2.12166381533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .rsrc0x620000x57e80x5800False0.618430397727data6.34217881671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x680000x210c0x2200False0.786534926471data6.61038519378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          PNG0x625240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
          PNG0x6306c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
          RT_ICON0x646180xea8data
          RT_DIALOG0x654c00x286dataEnglishUnited States
          RT_DIALOG0x657480x13adataEnglishUnited States
          RT_DIALOG0x658840xecdataEnglishUnited States
          RT_DIALOG0x659700x12edataEnglishUnited States
          RT_DIALOG0x65aa00x338dataEnglishUnited States
          RT_DIALOG0x65dd80x252dataEnglishUnited States
          RT_STRING0x6602c0x1e2dataEnglishUnited States
          RT_STRING0x662100x1ccdataEnglishUnited States
          RT_STRING0x663dc0x1b8dataEnglishUnited States
          RT_STRING0x665940x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
          RT_STRING0x666dc0x446dataEnglishUnited States
          RT_STRING0x66b240x166dataEnglishUnited States
          RT_STRING0x66c8c0x152dataEnglishUnited States
          RT_STRING0x66de00x10adataEnglishUnited States
          RT_STRING0x66eec0xbcdataEnglishUnited States
          RT_STRING0x66fa80xd6dataEnglishUnited States
          RT_GROUP_ICON0x670800x14data
          RT_MANIFEST0x670940x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
          gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jul 22, 2021 05:17:11.832387924 CEST4974248562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:12.148127079 CEST4856249742185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:12.662945032 CEST4974248562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:12.906512976 CEST4856249742185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:13.413012028 CEST4974248562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:13.644347906 CEST4856249742185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:18.608572006 CEST4974348562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:18.940551043 CEST4856249743185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:19.459135056 CEST4974348562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:19.860749960 CEST4856249743185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:20.376791000 CEST4974348562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:20.643014908 CEST4856249743185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:25.149589062 CEST4974648562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:25.372134924 CEST4856249746185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:25.982177019 CEST4974648562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:26.471535921 CEST4856249746185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:26.980232000 CEST4974648562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:42.999517918 CEST4975348562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:43.230129004 CEST4856249753185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:43.919141054 CEST4975348562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:44.148785114 CEST4856249753185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:44.809823990 CEST4975348562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:45.093375921 CEST4856249753185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:49.155298948 CEST4976148562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:49.387444973 CEST4856249761185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:49.888355970 CEST4976148562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:50.209687948 CEST4856249761185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:50.716671944 CEST4976148562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:52.652920008 CEST4856249761185.19.85.175192.168.2.4
          Jul 22, 2021 05:17:56.655800104 CEST4976348562192.168.2.4185.19.85.175
          Jul 22, 2021 05:17:59.717331886 CEST4976348562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:05.717936039 CEST4976348562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:05.944273949 CEST4856249763185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:10.134605885 CEST4976948562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:10.369349957 CEST4856249769185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:10.874705076 CEST4976948562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:11.121792078 CEST4856249769185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:11.624604940 CEST4976948562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:11.862843990 CEST4856249769185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:15.996989012 CEST4977048562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:16.253267050 CEST4856249770185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:16.765685081 CEST4977048562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:17.003547907 CEST4856249770185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:17.515928030 CEST4977048562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:17.746754885 CEST4856249770185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:22.398070097 CEST4977148562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:23.848702908 CEST4856249771185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:24.360213041 CEST4977148562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:30.376259089 CEST4977148562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:33.251219034 CEST4856249771185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:37.269668102 CEST4977448562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:37.750619888 CEST4856249774185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:38.252043009 CEST4977448562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:38.490231037 CEST4856249774185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:39.017596960 CEST4977448562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:55.035926104 CEST4977548562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:55.263413906 CEST4856249775185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:55.769247055 CEST4977548562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:56.026536942 CEST4856249775185.19.85.175192.168.2.4
          Jul 22, 2021 05:18:56.534919977 CEST4977548562192.168.2.4185.19.85.175
          Jul 22, 2021 05:18:56.769310951 CEST4856249775185.19.85.175192.168.2.4

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jul 22, 2021 05:16:45.368163109 CEST4971453192.168.2.48.8.8.8
          Jul 22, 2021 05:16:45.426140070 CEST53497148.8.8.8192.168.2.4
          Jul 22, 2021 05:16:46.196170092 CEST5802853192.168.2.48.8.8.8
          Jul 22, 2021 05:16:46.248234034 CEST53580288.8.8.8192.168.2.4
          Jul 22, 2021 05:16:46.617543936 CEST5309753192.168.2.48.8.8.8
          Jul 22, 2021 05:16:46.675631046 CEST53530978.8.8.8192.168.2.4
          Jul 22, 2021 05:16:47.085782051 CEST4925753192.168.2.48.8.8.8
          Jul 22, 2021 05:16:47.142744064 CEST53492578.8.8.8192.168.2.4
          Jul 22, 2021 05:16:48.086718082 CEST6238953192.168.2.48.8.8.8
          Jul 22, 2021 05:16:48.136323929 CEST53623898.8.8.8192.168.2.4
          Jul 22, 2021 05:16:48.982448101 CEST4991053192.168.2.48.8.8.8
          Jul 22, 2021 05:16:49.034616947 CEST53499108.8.8.8192.168.2.4
          Jul 22, 2021 05:16:57.219923019 CEST5585453192.168.2.48.8.8.8
          Jul 22, 2021 05:16:57.271943092 CEST53558548.8.8.8192.168.2.4
          Jul 22, 2021 05:16:58.204699993 CEST6454953192.168.2.48.8.8.8
          Jul 22, 2021 05:16:58.264853954 CEST53645498.8.8.8192.168.2.4
          Jul 22, 2021 05:16:58.972019911 CEST6315353192.168.2.48.8.8.8
          Jul 22, 2021 05:16:59.032012939 CEST53631538.8.8.8192.168.2.4
          Jul 22, 2021 05:16:59.452148914 CEST5299153192.168.2.48.8.8.8
          Jul 22, 2021 05:16:59.513328075 CEST53529918.8.8.8192.168.2.4
          Jul 22, 2021 05:16:59.882565022 CEST5370053192.168.2.48.8.8.8
          Jul 22, 2021 05:16:59.931875944 CEST53537008.8.8.8192.168.2.4
          Jul 22, 2021 05:17:00.731015921 CEST5172653192.168.2.48.8.8.8
          Jul 22, 2021 05:17:00.792860031 CEST53517268.8.8.8192.168.2.4
          Jul 22, 2021 05:17:01.744822025 CEST5679453192.168.2.48.8.8.8
          Jul 22, 2021 05:17:01.802191019 CEST53567948.8.8.8192.168.2.4
          Jul 22, 2021 05:17:02.560925961 CEST5653453192.168.2.48.8.8.8
          Jul 22, 2021 05:17:02.620811939 CEST53565348.8.8.8192.168.2.4
          Jul 22, 2021 05:17:03.484529018 CEST5662753192.168.2.48.8.8.8
          Jul 22, 2021 05:17:03.536657095 CEST53566278.8.8.8192.168.2.4
          Jul 22, 2021 05:17:04.690516949 CEST5662153192.168.2.48.8.8.8
          Jul 22, 2021 05:17:04.744118929 CEST53566218.8.8.8192.168.2.4
          Jul 22, 2021 05:17:06.417464972 CEST6311653192.168.2.48.8.8.8
          Jul 22, 2021 05:17:06.466891050 CEST53631168.8.8.8192.168.2.4
          Jul 22, 2021 05:17:08.645159006 CEST6407853192.168.2.48.8.8.8
          Jul 22, 2021 05:17:08.694384098 CEST53640788.8.8.8192.168.2.4
          Jul 22, 2021 05:17:09.525985003 CEST6480153192.168.2.48.8.8.8
          Jul 22, 2021 05:17:09.578790903 CEST53648018.8.8.8192.168.2.4
          Jul 22, 2021 05:17:10.649703026 CEST6172153192.168.2.48.8.8.8
          Jul 22, 2021 05:17:10.707179070 CEST53617218.8.8.8192.168.2.4
          Jul 22, 2021 05:17:11.742209911 CEST5125553192.168.2.48.8.8.8
          Jul 22, 2021 05:17:11.804403067 CEST53512558.8.8.8192.168.2.4
          Jul 22, 2021 05:17:18.392772913 CEST6152253192.168.2.48.8.8.8
          Jul 22, 2021 05:17:18.451010942 CEST53615228.8.8.8192.168.2.4
          Jul 22, 2021 05:17:19.589277983 CEST5233753192.168.2.48.8.8.8
          Jul 22, 2021 05:17:19.660592079 CEST53523378.8.8.8192.168.2.4
          Jul 22, 2021 05:17:25.090871096 CEST5504653192.168.2.48.8.8.8
          Jul 22, 2021 05:17:25.148137093 CEST53550468.8.8.8192.168.2.4
          Jul 22, 2021 05:17:38.678478956 CEST4961253192.168.2.48.8.8.8
          Jul 22, 2021 05:17:38.737824917 CEST53496128.8.8.8192.168.2.4
          Jul 22, 2021 05:17:40.882186890 CEST4928553192.168.2.48.8.8.8
          Jul 22, 2021 05:17:40.942317009 CEST53492858.8.8.8192.168.2.4
          Jul 22, 2021 05:17:41.081737995 CEST5060153192.168.2.48.8.8.8
          Jul 22, 2021 05:17:41.169881105 CEST53506018.8.8.8192.168.2.4
          Jul 22, 2021 05:17:41.792850971 CEST6087553192.168.2.48.8.8.8
          Jul 22, 2021 05:17:41.853188992 CEST53608758.8.8.8192.168.2.4
          Jul 22, 2021 05:17:42.110409975 CEST5644853192.168.2.48.8.8.8
          Jul 22, 2021 05:17:42.170422077 CEST53564488.8.8.8192.168.2.4
          Jul 22, 2021 05:17:42.588500977 CEST5917253192.168.2.48.8.8.8
          Jul 22, 2021 05:17:42.647428036 CEST53591728.8.8.8192.168.2.4
          Jul 22, 2021 05:17:43.738065958 CEST6242053192.168.2.48.8.8.8
          Jul 22, 2021 05:17:43.798119068 CEST53624208.8.8.8192.168.2.4
          Jul 22, 2021 05:17:43.823242903 CEST6057953192.168.2.48.8.8.8
          Jul 22, 2021 05:17:43.889246941 CEST53605798.8.8.8192.168.2.4
          Jul 22, 2021 05:17:45.352931976 CEST5018353192.168.2.48.8.8.8
          Jul 22, 2021 05:17:45.409823895 CEST53501838.8.8.8192.168.2.4
          Jul 22, 2021 05:17:46.021116972 CEST6153153192.168.2.48.8.8.8
          Jul 22, 2021 05:17:46.071419954 CEST53615318.8.8.8192.168.2.4
          Jul 22, 2021 05:17:46.985760927 CEST4922853192.168.2.48.8.8.8
          Jul 22, 2021 05:17:47.043205023 CEST53492288.8.8.8192.168.2.4
          Jul 22, 2021 05:17:47.883486032 CEST5979453192.168.2.48.8.8.8
          Jul 22, 2021 05:17:47.943267107 CEST53597948.8.8.8192.168.2.4
          Jul 22, 2021 05:17:48.815505981 CEST5591653192.168.2.48.8.8.8
          Jul 22, 2021 05:17:48.872720957 CEST53559168.8.8.8192.168.2.4
          Jul 22, 2021 05:17:49.380682945 CEST5275253192.168.2.48.8.8.8
          Jul 22, 2021 05:17:49.433089018 CEST53527528.8.8.8192.168.2.4
          Jul 22, 2021 05:17:59.303744078 CEST6054253192.168.2.48.8.8.8
          Jul 22, 2021 05:17:59.363445997 CEST53605428.8.8.8192.168.2.4
          Jul 22, 2021 05:18:10.076064110 CEST6068953192.168.2.48.8.8.8
          Jul 22, 2021 05:18:10.132956028 CEST53606898.8.8.8192.168.2.4
          Jul 22, 2021 05:18:15.936439991 CEST6420653192.168.2.48.8.8.8
          Jul 22, 2021 05:18:15.994916916 CEST53642068.8.8.8192.168.2.4
          Jul 22, 2021 05:18:22.325500965 CEST5090453192.168.2.48.8.8.8
          Jul 22, 2021 05:18:22.385513067 CEST53509048.8.8.8192.168.2.4
          Jul 22, 2021 05:18:30.150854111 CEST5752553192.168.2.48.8.8.8
          Jul 22, 2021 05:18:30.227001905 CEST53575258.8.8.8192.168.2.4
          Jul 22, 2021 05:18:32.128432989 CEST5381453192.168.2.48.8.8.8
          Jul 22, 2021 05:18:32.201231956 CEST53538148.8.8.8192.168.2.4

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
          Jul 22, 2021 05:17:11.742209911 CEST192.168.2.48.8.8.80xf73bStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
          Jul 22, 2021 05:17:18.392772913 CEST192.168.2.48.8.8.80xd127Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
          Jul 22, 2021 05:17:25.090871096 CEST192.168.2.48.8.8.80x8baeStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
          Jul 22, 2021 05:18:10.076064110 CEST192.168.2.48.8.8.80x25aStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
          Jul 22, 2021 05:18:15.936439991 CEST192.168.2.48.8.8.80x8f60Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
          Jul 22, 2021 05:18:22.325500965 CEST192.168.2.48.8.8.80x27edStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
          Jul 22, 2021 05:17:11.804403067 CEST8.8.8.8192.168.2.40xf73bNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
          Jul 22, 2021 05:17:18.451010942 CEST8.8.8.8192.168.2.40xd127No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
          Jul 22, 2021 05:17:25.148137093 CEST8.8.8.8192.168.2.40x8baeNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
          Jul 22, 2021 05:18:10.132956028 CEST8.8.8.8192.168.2.40x25aNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
          Jul 22, 2021 05:18:15.994916916 CEST8.8.8.8192.168.2.40x8f60No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
          Jul 22, 2021 05:18:22.385513067 CEST8.8.8.8192.168.2.40x27edNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)

          Code Manipulations

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: mzyDSLb1u9.exe PID: 6848 Parent PID: 5976

          General

          Start time:05:16:49
          Start date:22/07/2021
          Path:C:\Users\user\Desktop\mzyDSLb1u9.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\mzyDSLb1u9.exe'
          Imagebase:0x13c0000
          File size:1105214 bytes
          MD5 hash:922BBF421CD0C9B155F45388DB7C8718
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          Analysis Process: mssvgt.pif PID: 7104 Parent PID: 6848

          General

          Start time:05:16:56
          Start date:22/07/2021
          Path:C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif' nlcno.gge
          Imagebase:0xa90000
          File size:855280 bytes
          MD5 hash:7C81E999E91D1D0F772010DFA4C34923
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.662507687.00000000044F5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.659920002.00000000044F5000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.659920002.00000000044F5000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.659920002.00000000044F5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.662369446.0000000004539000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.662369446.0000000004539000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.662369446.0000000004539000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.660958539.0000000003724000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.660958539.0000000003724000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.660958539.0000000003724000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.660913492.0000000003705000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.660913492.0000000003705000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.660913492.0000000003705000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.659777206.0000000004476000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.659777206.0000000004476000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.659777206.0000000004476000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.659743510.00000000044F5000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.659743510.00000000044F5000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.659743510.00000000044F5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.662616297.00000000044C1000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.662616297.00000000044C1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.662616297.00000000044C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.659811723.00000000044C1000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.659811723.00000000044C1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.659811723.00000000044C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.661010431.0000000003727000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.661010431.0000000003727000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.661010431.0000000003727000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.662013671.0000000004441000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.662013671.0000000004441000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.662013671.0000000004441000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.661068688.0000000004538000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.661068688.0000000004538000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.661068688.0000000004538000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.662163487.00000000049D2000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.662163487.00000000049D2000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.662163487.00000000049D2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.661829199.0000000004538000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.661829199.0000000004538000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.661829199.0000000004538000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.660075291.0000000004538000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.660075291.0000000004538000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.660075291.0000000004538000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.661660900.0000000004475000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.661660900.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.661660900.0000000004475000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.659878466.0000000004441000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.659878466.0000000004441000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.659878466.0000000004441000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.660813067.0000000004538000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.660813067.0000000004538000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.660813067.0000000004538000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.660033291.000000000456E000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.660033291.000000000456E000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.660033291.000000000456E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Antivirus matches:
          • Detection: 23%, Metadefender, Browse
          • Detection: 29%, ReversingLabs
          Reputation:low

          Analysis Process: RegSvcs.exe PID: 4476 Parent PID: 7104

          General

          Start time:05:17:01
          Start date:22/07/2021
          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Imagebase:0x3c0000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.905012001.0000000005740000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.905012001.0000000005740000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.901251206.0000000000792000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.901251206.0000000000792000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.901251206.0000000000792000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.905032778.0000000005750000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.905032778.0000000005750000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.902994074.0000000003CA9000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.902994074.0000000003CA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.905317731.0000000006460000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.905317731.0000000006460000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.905317731.0000000006460000.00000004.00000001.sdmp, Author: Joe Security
          Antivirus matches:
          • Detection: 0%, Metadefender, Browse
          • Detection: 0%, ReversingLabs
          Reputation:high

          Analysis Process: schtasks.exe PID: 5768 Parent PID: 4476

          General

          Start time:05:17:07
          Start date:22/07/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD629.tmp'
          Imagebase:0x30000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: conhost.exe PID: 5748 Parent PID: 5768

          General

          Start time:05:17:08
          Start date:22/07/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: schtasks.exe PID: 6760 Parent PID: 4476

          General

          Start time:05:17:08
          Start date:22/07/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpDA12.tmp'
          Imagebase:0x30000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: mssvgt.pif PID: 984 Parent PID: 3424

          General

          Start time:05:17:09
          Start date:22/07/2021
          Path:C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\AppData\Local\Temp\42926996\mssvgt.pif' C:\Users\user\AppData\Local\Temp\42926996\nlcno.gge
          Imagebase:0xa90000
          File size:855280 bytes
          MD5 hash:7C81E999E91D1D0F772010DFA4C34923
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.692566467.0000000003D51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.689820753.0000000003D86000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.689820753.0000000003D86000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.689820753.0000000003D86000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.690180075.0000000003E7E000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.690180075.0000000003E7E000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.690180075.0000000003E7E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.690030414.0000000003D85000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.690030414.0000000003D85000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.690030414.0000000003D85000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.692643816.0000000003E49000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.692643816.0000000003E49000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.692643816.0000000003E49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.691361381.0000000003E48000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.691361381.0000000003E48000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.691361381.0000000003E48000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.690095645.0000000003E49000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.690095645.0000000003E49000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.690095645.0000000003E49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.691863501.0000000003D85000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.691863501.0000000003D85000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.691863501.0000000003D85000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.689852195.0000000003DD1000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.689852195.0000000003DD1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.689852195.0000000003DD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.692788641.0000000003E05000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.692788641.0000000003E05000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.692788641.0000000003E05000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.690118955.0000000003E49000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.690118955.0000000003E49000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.690118955.0000000003E49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.692903177.0000000003DD1000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.692903177.0000000003DD1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.692903177.0000000003DD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.690447296.0000000003EB1000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.690447296.0000000003EB1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.690447296.0000000003EB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.689909094.0000000003D51000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.689909094.0000000003D51000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.689909094.0000000003D51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.690354835.0000000003E48000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.690354835.0000000003E48000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.690354835.0000000003E48000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.690069103.0000000003E48000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.690069103.0000000003E48000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.690069103.0000000003E48000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.689784104.0000000003E05000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.689784104.0000000003E05000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.689784104.0000000003E05000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000003.692445105.0000000003E48000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.692445105.0000000003E48000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.692445105.0000000003E48000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Analysis Process: conhost.exe PID: 6452 Parent PID: 6760

          General

          Start time:05:17:09
          Start date:22/07/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: RegSvcs.exe PID: 768 Parent PID: 968

          General

          Start time:05:17:10
          Start date:22/07/2021
          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
          Imagebase:0xbd0000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Reputation:high

          Analysis Process: conhost.exe PID: 4864 Parent PID: 768

          General

          Start time:05:17:10
          Start date:22/07/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: dhcpmon.exe PID: 6576 Parent PID: 968

          General

          Start time:05:17:10
          Start date:22/07/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Imagebase:0x2b0000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Antivirus matches:
          • Detection: 0%, Virustotal, Browse
          • Detection: 0%, Metadefender, Browse
          • Detection: 0%, ReversingLabs
          Reputation:high

          Analysis Process: conhost.exe PID: 6500 Parent PID: 6576

          General

          Start time:05:17:11
          Start date:22/07/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Analysis Process: RegSvcs.exe PID: 6744 Parent PID: 984

          General

          Start time:05:17:15
          Start date:22/07/2021
          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Imagebase:0x630000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.715341016.0000000002F91000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.714424502.0000000000A02000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.714424502.0000000000A02000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.714424502.0000000000A02000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.715442161.0000000003F99000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.715442161.0000000003F99000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

          Analysis Process: wscript.exe PID: 6996 Parent PID: 3424

          General

          Start time:05:17:17
          Start date:22/07/2021
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\42926996\Update.vbs'
          Imagebase:0x7ff780f70000
          File size:163840 bytes
          MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Analysis Process: dhcpmon.exe PID: 7048 Parent PID: 3424

          General

          Start time:05:17:26
          Start date:22/07/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Imagebase:0x1c0000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET

          Analysis Process: conhost.exe PID: 6160 Parent PID: 7048

          General

          Start time:05:17:26
          Start date:22/07/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Disassembly

          Code Analysis

          Reset < >