Play interactive tour

Edit tour

Windows Analysis Report Order List.exe

Overview

General Information

Sample Name:	Order List.exe
Analysis ID:	457798
MD5:	e2893188b7e7d6f19581a7981c2a0a75
SHA1:	6a7a3d1ecb2175b53fb98974220f15ec6a1545cf
SHA256:	09b6f40cf52bde38b03cbf49a02e40370914aacfe727cda9d6d9002cce5debeb
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Order List.exe (PID: 5776 cmdline: 'C:\Users\user\Desktop\Order List.exe' MD5: E2893188B7E7D6F19581A7981C2A0A75)

schtasks.exe (PID: 1848 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AylDGlu' /XML 'C:\Users\user\AppData\Local\Temp\tmp5BCE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 5564 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)

MSBuild.exe (PID: 4988 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)

schtasks.exe (PID: 3100 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6DFE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5512 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp71A9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 488 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0 MD5: D621FD77BD585874F9686D3A76462EF1)

conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5276 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: D621FD77BD585874F9686D3A76462EF1)

conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6080 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: D621FD77BD585874F9686D3A76462EF1)

conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "1b30e380-3e9d-40b0-8d35-d1fb4c64", "Group": "gintx$$", "Domain1": "79.134.225.115", "Domain2": "gintex.ddns.net", "Port": 21180, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.504687984.0000000006E10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000012.00000002.504687984.0000000006E10000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000012.00000002.504506508.0000000006D90000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000012.00000002.504506508.0000000006D90000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000012.00000002.500969666.0000000003FD6000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x30da:$a: NanoCore 0x313b:$a: NanoCore 0x317e:$a: NanoCore 0x31be:$a: NanoCore 0x33fa:$a: NanoCore 0x349a:$a: NanoCore 0x3c72:$a: NanoCore 0x4265:$a: NanoCore 0x43b6:$a: NanoCore 0x5210:$a: NanoCore 0x5477:$a: NanoCore 0x548c:$a: NanoCore 0x54ab:$a: NanoCore 0xe3ae:$a: NanoCore 0xe3d7:$a: NanoCore 0x3150:$b: ClientPlugin 0x3403:$b: ClientPlugin 0x34a3:$b: ClientPlugin 0xe1ce:$b: ClientPlugin 0xe1e2:$b: ClientPlugin 0xe212:$b: ClientPlugin
00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x144bd:$x1: NanoCore.ClientPluginHost 0x144fa:$x2: IClientNetworkHost 0x1802d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14225:$a: NanoCore 0x14235:$a: NanoCore 0x14469:$a: NanoCore 0x1447d:$a: NanoCore 0x144bd:$a: NanoCore 0x14284:$b: ClientPlugin 0x14486:$b: ClientPlugin 0x144c6:$b: ClientPlugin 0x143ab:$c: ProjectData 0x14db2:$d: DESCrypto 0x1c77e:$e: KeepAlive 0x1a76c:$g: LogClientMessage 0x16967:$i: get_Connected 0x150e8:$j: #=q 0x15118:$j: #=q 0x15134:$j: #=q 0x15164:$j: #=q 0x15180:$j: #=q 0x1519c:$j: #=q 0x151cc:$j: #=q 0x151e8:$j: #=q
00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000012.00000002.504550437.0000000006DB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000012.00000002.504550437.0000000006DB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000012.00000002.500557956.0000000003D5E000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.504188143.00000000065B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000012.00000002.504188143.00000000065B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000012.00000002.504614903.0000000006DE0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000012.00000002.504614903.0000000006DE0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000012.00000002.504566226.0000000006DC0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000012.00000002.504566226.0000000006DC0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.503067769.0000000005510000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000012.00000002.503067769.0000000005510000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000012.00000002.504637714.0000000006DF0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000012.00000002.504637714.0000000006DF0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000012.00000002.504719426.0000000006E20000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000012.00000002.504719426.0000000006E20000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x120d75:$x1: NanoCore.ClientPluginHost 0x120db2:$x2: IClientNetworkHost 0x1248e5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x120add:$a: NanoCore 0x120aed:$a: NanoCore 0x120d21:$a: NanoCore 0x120d35:$a: NanoCore 0x120d75:$a: NanoCore 0x120b3c:$b: ClientPlugin 0x120d3e:$b: ClientPlugin 0x120d7e:$b: ClientPlugin 0x120c63:$c: ProjectData 0x12166a:$d: DESCrypto 0x129036:$e: KeepAlive 0x127024:$g: LogClientMessage 0x12321f:$i: get_Connected 0x1219a0:$j: #=q 0x1219d0:$j: #=q 0x1219ec:$j: #=q 0x121a1c:$j: #=q 0x121a38:$j: #=q 0x121a54:$j: #=q 0x121a84:$j: #=q 0x121aa0:$j: #=q
00000012.00000002.504589888.0000000006DD0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000012.00000002.504589888.0000000006DD0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000012.00000002.496659781.0000000002D01000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.496659781.0000000002D01000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x344e7:$a: NanoCore 0x34540:$a: NanoCore 0x3457d:$a: NanoCore 0x345f6:$a: NanoCore 0x47e62:$a: NanoCore 0x47e87:$a: NanoCore 0x47ee0:$a: NanoCore 0x34549:$b: ClientPlugin 0x34586:$b: ClientPlugin 0x34e84:$b: ClientPlugin 0x34e91:$b: ClientPlugin 0x47c59:$b: ClientPlugin 0x47c6a:$b: ClientPlugin 0x47c9a:$b: ClientPlugin 0x47e6b:$b: ClientPlugin 0x47e90:$b: ClientPlugin 0x47d9c:$c: ProjectData 0x349d1:$g: LogClientMessage 0x34951:$i: get_Connected 0x484a6:$j: #=q 0x484c2:$j: #=q
00000012.00000002.496725291.0000000002D80000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b587:$a: NanoCore 0x1b5ad:$a: NanoCore 0x1b609:$a: NanoCore 0x2846f:$a: NanoCore 0x284c8:$a: NanoCore 0x284fb:$a: NanoCore 0x28727:$a: NanoCore 0x287a3:$a: NanoCore 0x28dbc:$a: NanoCore 0x28f05:$a: NanoCore 0x293d9:$a: NanoCore 0x296c0:$a: NanoCore 0x296d7:$a: NanoCore 0x32587:$a: NanoCore 0x32603:$a: NanoCore 0x34ee6:$a: NanoCore 0x3a4bd:$a: NanoCore 0x3a537:$a: NanoCore 0x404a0:$a: NanoCore 0x404ea:$a: NanoCore 0x41144:$a: NanoCore
00000012.00000002.500995543.0000000003FEF000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5590f:$a: NanoCore 0x559f9:$a: NanoCore 0x56870:$a: NanoCore 0x5fa1a:$a: NanoCore 0x5fa7b:$a: NanoCore 0x5fabe:$a: NanoCore 0x5fafe:$a: NanoCore 0x5fd3a:$a: NanoCore 0x5fdda:$a: NanoCore 0x605b2:$a: NanoCore 0x60ba5:$a: NanoCore 0x60cf6:$a: NanoCore 0x61b50:$a: NanoCore 0x61db7:$a: NanoCore 0x61dcc:$a: NanoCore 0x61deb:$a: NanoCore 0x6acee:$a: NanoCore 0x6ad17:$a: NanoCore 0x76a90:$a: NanoCore 0x76ab9:$a: NanoCore 0x9b97c:$a: NanoCore
00000012.00000002.504402260.0000000006D50000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000012.00000002.504402260.0000000006D50000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000012.00000002.504820469.0000000006E60000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000012.00000002.504820469.0000000006E60000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000012.00000002.504524423.0000000006DA0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000012.00000002.504524423.0000000006DA0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
Process Memory Space: Order List.exe PID: 5776	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x57934:$x1: NanoCore.ClientPluginHost 0x72299c:$x1: NanoCore.ClientPluginHost 0x57995:$x2: IClientNetworkHost 0x7229fd:$x2: IClientNetworkHost 0x5cd9a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6ad0c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x727e02:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x735d74:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Order List.exe PID: 5776	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Order List.exe PID: 5776	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Order List.exe PID: 5776	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x57439:$a: NanoCore 0x57455:$a: NanoCore 0x575b0:$a: NanoCore 0x575bf:$a: NanoCore 0x57898:$a: NanoCore 0x578c4:$a: NanoCore 0x57934:$a: NanoCore 0x67376:$a: NanoCore 0x67388:$a: NanoCore 0x673c4:$a: NanoCore 0x7224a1:$a: NanoCore 0x7224bd:$a: NanoCore 0x722618:$a: NanoCore 0x722627:$a: NanoCore 0x722900:$a: NanoCore 0x72292c:$a: NanoCore 0x72299c:$a: NanoCore 0x7323de:$a: NanoCore 0x7323f0:$a: NanoCore 0x73242c:$a: NanoCore 0x574e0:$b: ClientPlugin
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.MSBuild.exe.6df0000.29.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
18.2.MSBuild.exe.6df0000.29.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
18.2.MSBuild.exe.6da0000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
18.2.MSBuild.exe.6da0000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
18.2.MSBuild.exe.3fde83e.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
18.2.MSBuild.exe.3fde83e.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
18.2.MSBuild.exe.3d09930.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
18.2.MSBuild.exe.3d09930.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
18.2.MSBuild.exe.6e60000.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
18.2.MSBuild.exe.6e60000.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
18.2.MSBuild.exe.3d695f0.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
18.2.MSBuild.exe.3d695f0.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
18.2.MSBuild.exe.3d695f0.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.MSBuild.exe.3d6dc19.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
18.2.MSBuild.exe.3d6dc19.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
18.2.MSBuild.exe.3d6dc19.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.MSBuild.exe.6de0000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
18.2.MSBuild.exe.6de0000.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
18.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
18.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.MSBuild.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
18.2.MSBuild.exe.6240000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
18.2.MSBuild.exe.6240000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
18.2.MSBuild.exe.6240000.18.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.MSBuild.exe.6d90000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
18.2.MSBuild.exe.6d90000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
18.2.MSBuild.exe.6244629.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
18.2.MSBuild.exe.6244629.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
18.2.MSBuild.exe.6244629.19.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.MSBuild.exe.40625ae.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
18.2.MSBuild.exe.40625ae.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
18.2.MSBuild.exe.2d92a08.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
18.2.MSBuild.exe.2d92a08.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
18.2.MSBuild.exe.6de0000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
18.2.MSBuild.exe.6de0000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
18.2.MSBuild.exe.2d92a08.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d1f:$x1: NanoCore.ClientPluginHost 0x1fb7f:$x1: NanoCore.ClientPluginHost 0x27ab5:$x1: NanoCore.ClientPluginHost 0x2da98:$x1: NanoCore.ClientPluginHost 0x37513:$x1: NanoCore.ClientPluginHost 0x4194f:$x1: NanoCore.ClientPluginHost 0x4c941:$x1: NanoCore.ClientPluginHost 0x586f7:$x1: NanoCore.ClientPluginHost 0x6444e:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d58:$x2: IClientNetworkHost 0x1fbb8:$x2: IClientNetworkHost 0x27aee:$x2: IClientNetworkHost 0x37670:$x2: IClientNetworkHost 0x41988:$x2: IClientNetworkHost 0x4c95b:$x2: IClientNetworkHost 0x58711:$x2: IClientNetworkHost 0x6448b:$x2: IClientNetworkHost
18.2.MSBuild.exe.2d92a08.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a67:$a: NanoCore 0x15ac0:$a: NanoCore 0x15af3:$a: NanoCore 0x15d1f:$a: NanoCore 0x15d9b:$a: NanoCore 0x163b4:$a: NanoCore 0x164fd:$a: NanoCore 0x169d1:$a: NanoCore 0x16cb8:$a: NanoCore 0x16ccf:$a: NanoCore 0x1fb7f:$a: NanoCore 0x1fbfb:$a: NanoCore 0x224de:$a: NanoCore 0x27ab5:$a: NanoCore 0x27b2f:$a: NanoCore 0x2da98:$a: NanoCore 0x2dae2:$a: NanoCore 0x2e73c:$a: NanoCore
18.2.MSBuild.exe.6e20000.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
18.2.MSBuild.exe.6e20000.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
18.2.MSBuild.exe.6e60000.34.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
18.2.MSBuild.exe.6e60000.34.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
18.2.MSBuild.exe.6e10000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
18.2.MSBuild.exe.6e10000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
18.2.MSBuild.exe.405417e.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
18.2.MSBuild.exe.405417e.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
18.2.MSBuild.exe.2d442cc.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
18.2.MSBuild.exe.2d442cc.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
18.2.MSBuild.exe.3fde83e.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
18.2.MSBuild.exe.3fde83e.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
18.2.MSBuild.exe.6da0000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
18.2.MSBuild.exe.6da0000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
18.2.MSBuild.exe.65b0000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
18.2.MSBuild.exe.65b0000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
18.2.MSBuild.exe.2d442cc.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
18.2.MSBuild.exe.2d442cc.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
18.2.MSBuild.exe.6db0000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
18.2.MSBuild.exe.6db0000.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
18.2.MSBuild.exe.6e10000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
18.2.MSBuild.exe.6e10000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
18.2.MSBuild.exe.2da7044.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb543:$x1: NanoCore.ClientPluginHost 0x13479:$x1: NanoCore.ClientPluginHost 0x1945c:$x1: NanoCore.ClientPluginHost 0x22ed7:$x1: NanoCore.ClientPluginHost 0x2d313:$x1: NanoCore.ClientPluginHost 0x38305:$x1: NanoCore.ClientPluginHost 0x440bb:$x1: NanoCore.ClientPluginHost 0x4fe12:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb57c:$x2: IClientNetworkHost 0x134b2:$x2: IClientNetworkHost 0x23034:$x2: IClientNetworkHost 0x2d34c:$x2: IClientNetworkHost 0x3831f:$x2: IClientNetworkHost 0x440d5:$x2: IClientNetworkHost 0x4fe4f:$x2: IClientNetworkHost
18.2.MSBuild.exe.2da7044.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb543:$a: NanoCore 0xb5bf:$a: NanoCore 0xdea2:$a: NanoCore 0x13479:$a: NanoCore 0x134f3:$a: NanoCore 0x1945c:$a: NanoCore 0x194a6:$a: NanoCore 0x1a100:$a: NanoCore 0x22ed7:$a: NanoCore 0x22fc1:$a: NanoCore 0x23e38:$a: NanoCore
18.2.MSBuild.exe.6d50000.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
18.2.MSBuild.exe.6d50000.22.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
18.2.MSBuild.exe.6dd0000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
18.2.MSBuild.exe.6dd0000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
18.2.MSBuild.exe.3d09930.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
18.2.MSBuild.exe.3d09930.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
18.2.MSBuild.exe.6e2e8a4.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
18.2.MSBuild.exe.6e2e8a4.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
18.2.MSBuild.exe.40625ae.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
18.2.MSBuild.exe.40625ae.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
18.2.MSBuild.exe.6dd0000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
18.2.MSBuild.exe.6dd0000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
18.2.MSBuild.exe.6df0000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
18.2.MSBuild.exe.6df0000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
18.2.MSBuild.exe.6db0000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
18.2.MSBuild.exe.6db0000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
18.2.MSBuild.exe.6dc0000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
18.2.MSBuild.exe.6dc0000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
18.2.MSBuild.exe.2daca7c.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0xda41:$x1: NanoCore.ClientPluginHost 0x13a24:$x1: NanoCore.ClientPluginHost 0x1d49f:$x1: NanoCore.ClientPluginHost 0x278db:$x1: NanoCore.ClientPluginHost 0x328cd:$x1: NanoCore.ClientPluginHost 0x3e683:$x1: NanoCore.ClientPluginHost 0x4a3da:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost 0xda7a:$x2: IClientNetworkHost 0x1d5fc:$x2: IClientNetworkHost 0x27914:$x2: IClientNetworkHost 0x328e7:$x2: IClientNetworkHost 0x3e69d:$x2: IClientNetworkHost 0x4a417:$x2: IClientNetworkHost
18.2.MSBuild.exe.2daca7c.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5b0b:$a: NanoCore 0x5b87:$a: NanoCore 0x846a:$a: NanoCore 0xda41:$a: NanoCore 0xdabb:$a: NanoCore 0x13a24:$a: NanoCore 0x13a6e:$a: NanoCore 0x146c8:$a: NanoCore 0x1d49f:$a: NanoCore 0x1d589:$a: NanoCore 0x1e400:$a: NanoCore 0x275bb:$a: NanoCore 0x2761c:$a: NanoCore 0x2765f:$a: NanoCore 0x2769f:$a: NanoCore 0x278db:$a: NanoCore 0x2797b:$a: NanoCore 0x28153:$a: NanoCore 0x28746:$a: NanoCore 0x28897:$a: NanoCore 0x296f1:$a: NanoCore
18.2.MSBuild.exe.5510000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
18.2.MSBuild.exe.5510000.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
18.2.MSBuild.exe.405417e.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
18.2.MSBuild.exe.405417e.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost
18.2.MSBuild.exe.6240000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
18.2.MSBuild.exe.6240000.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
18.2.MSBuild.exe.6240000.18.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.MSBuild.exe.6e20000.32.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
18.2.MSBuild.exe.6e20000.32.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
18.2.MSBuild.exe.3d695f0.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
18.2.MSBuild.exe.3d695f0.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
18.2.MSBuild.exe.3d695f0.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.MSBuild.exe.65b0000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
18.2.MSBuild.exe.65b0000.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
0.2.Order List.exe.437abe8.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Order List.exe.437abe8.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Order List.exe.437abe8.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Order List.exe.437abe8.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
18.2.MSBuild.exe.404b34f.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
18.2.MSBuild.exe.404b34f.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
18.2.MSBuild.exe.6d50000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
18.2.MSBuild.exe.6d50000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
18.2.MSBuild.exe.6e24c9f.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
18.2.MSBuild.exe.6e24c9f.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
18.2.MSBuild.exe.2daca7c.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0xa041:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost 0xa07a:$x2: IClientNetworkHost
18.2.MSBuild.exe.2daca7c.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0xa041:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0xa15c:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost 0xa05b:$s5: IClientLoggingHost
18.2.MSBuild.exe.2d34708.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x1477f:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x147a9:$x2: IClientNetworkHost
18.2.MSBuild.exe.2d34708.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1477f:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x1662f:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
18.2.MSBuild.exe.2d34708.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x1475a:$a: NanoCore 0x1477f:$a: NanoCore 0x147d8:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14551:$b: ClientPlugin 0x14562:$b: ClientPlugin 0x14592:$b: ClientPlugin 0x14763:$b: ClientPlugin 0x14788:$b: ClientPlugin 0x14694:$c: ProjectData 0x12c9:$g: LogClientMessage 0x1249:$i: get_Connected 0x14d9e:$j: #=q 0x14dba:$j: #=q
18.2.MSBuild.exe.3d181d4.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
18.2.MSBuild.exe.3d181d4.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
18.2.MSBuild.exe.3d0e5cf.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
18.2.MSBuild.exe.3d0e5cf.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
0.2.Order List.exe.437abe8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Order List.exe.437abe8.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Order List.exe.437abe8.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
18.2.MSBuild.exe.404b34f.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
18.2.MSBuild.exe.404b34f.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost
18.2.MSBuild.exe.404b34f.13.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
Click to see the 116 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 4988, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000012.00000002.500557956.0000000003D5E000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1b30e380-3e9d-40b0-8d35-d1fb4c64", "Group": "gintx$$", "Domain1": "79.134.225.115", "Domain2": "gintex.ddns.net", "Port": 21180, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\AylDGlu.exe

ReversingLabs: Detection: 32%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 18.2.MSBuild.exe.3d695f0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.3d6dc19.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.6240000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.6244629.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.6240000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.3d695f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order List.exe.437abe8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order List.exe.437abe8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.500557956.0000000003D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.496659781.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order List.exe PID: 5776, type: MEMORYSTR

Source: 18.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.Order List.exe.e50000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 18.2.MSBuild.exe.6240000.18.unpack	Avira: Label: TR/NanoCore.fadte

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Order List.exe

Unpacked PE file: 0.2.Order List.exe.e50000.0.unpack

Source: Order List.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Order List.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49720 -> 79.134.225.115:21180

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: gintex.ddns.net
Source: Malware configuration extractor	URLs: 79.134.225.115

Source: global traffic

TCP traffic: 192.168.2.5:49720 -> 79.134.225.115:21180

Source: Joe Sandbox View

IP Address: 79.134.225.115 79.134.225.115

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 8.253.95.249
Source: unknown	TCP traffic detected without corresponding DNS query: 8.253.95.249
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.5.146
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.25.243
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.115

Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Order List.exe, 00000000.00000003.231082460.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlBSZeai
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Order List.exe, 00000000.00000003.233495791.00000000065F0000.00000004.00000001.sdmp, Order List.exe, 00000000.00000003.233049319.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Order List.exe, 00000000.00000003.233495791.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: Order List.exe, 00000000.00000003.233049319.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Order List.exe, 00000000.00000003.233049319.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: Order List.exe, 00000000.00000003.233049319.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFc_
Source: Order List.exe, 00000000.00000003.233697595.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: Order List.exe, 00000000.00000003.232385317.00000000065F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: Order List.exe, 00000000.00000003.233466801.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comc_
Source: Order List.exe, 00000000.00000003.233495791.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comce
Source: Order List.exe, 00000000.00000003.233549043.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: Order List.exe, 00000000.00000003.233549043.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: Order List.exe, 00000000.00000003.232385317.00000000065F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd.F
Source: Order List.exe, 00000000.00000003.232906283.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: Order List.exe, 00000000.00000003.233495791.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comf
Source: Order List.exe, 00000000.00000003.233495791.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comituF
Source: Order List.exe, 00000000.00000003.236577292.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: Order List.exe, 00000000.00000003.236188400.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.commito
Source: Order List.exe, 00000000.00000003.236577292.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitu
Source: Order List.exe, 00000000.00000003.233495791.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrsiv
Source: Order List.exe, 00000000.00000003.233049319.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comtuF
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Order List.exe, 00000000.00000003.228566860.00000000065D2000.00000004.00000001.sdmp, Order List.exe, 00000000.00000003.229044381.00000000065D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Order List.exe, 00000000.00000003.229044381.00000000065D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn-
Source: Order List.exe, 00000000.00000003.228530300.00000000065D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Order List.exe, 00000000.00000003.229044381.00000000065D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnU
Source: Order List.exe, 00000000.00000003.234322373.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Order List.exe, 00000000.00000003.234322373.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/F_var
Source: Order List.exe, 00000000.00000003.234322373.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/W
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp, Order List.exe, 00000000.00000003.230341333.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-_
Source: Order List.exe, 00000000.00000003.230864466.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/://w
Source: Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/F_var
Source: Order List.exe, 00000000.00000003.229784102.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Norm-_
Source: Order List.exe, 00000000.00000003.230341333.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/R
Source: Order List.exe, 00000000.00000003.230019994.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/j_
Source: Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/al
Source: Order List.exe, 00000000.00000003.229661302.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/c_
Source: Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/fr-f
Source: Order List.exe, 00000000.00000003.229784102.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/j_
Source: Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp, Order List.exe, 00000000.00000003.231136881.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Order List.exe, 00000000.00000003.231136881.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/c_
Source: Order List.exe, 00000000.00000003.229661302.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/u_
Source: Order List.exe, 00000000.00000003.229661302.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ww.mQ_aar
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Order List.exe, 00000000.00000003.232095762.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Order List.exe, 00000000.00000003.232030285.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deF
Source: Order List.exe, 00000000.00000003.233697595.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deFr
Source: Order List.exe, 00000000.00000003.233697595.00000000065F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.depS
Source: Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Order List.exe, Order List.exe, 00000000.00000002.317154586.0000000000F01000.00000002.00020000.sdmp	String found in binary or memory: https://github.com/seungyup26/minulazer

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49675
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49680
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 18.2.MSBuild.exe.3d695f0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.3d6dc19.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.6240000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.6244629.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.6240000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.3d695f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order List.exe.437abe8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order List.exe.437abe8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.500557956.0000000003D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.496659781.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order List.exe PID: 5776, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 18.2.MSBuild.exe.6df0000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6da0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.3fde83e.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.3d09930.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6e60000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.3d695f0.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.3d6dc19.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6de0000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.MSBuild.exe.6240000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6d90000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6244629.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.40625ae.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.2d92a08.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6de0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.2d92a08.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.2d92a08.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.MSBuild.exe.6e20000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6e60000.34.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6e10000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.405417e.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.2d442cc.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.3fde83e.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6da0000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.65b0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.2d442cc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6db0000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6e10000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.2da7044.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.2da7044.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.MSBuild.exe.6d50000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6dd0000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.3d09930.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6e2e8a4.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.40625ae.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6dd0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6df0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6db0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6dc0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.2daca7c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.2daca7c.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.MSBuild.exe.5510000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.405417e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6240000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6e20000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.3d695f0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.65b0000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Order List.exe.437abe8.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Order List.exe.437abe8.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.MSBuild.exe.404b34f.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6d50000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.6e24c9f.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.2daca7c.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.2d34708.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.2d34708.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.MSBuild.exe.3d181d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.3d0e5cf.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Order List.exe.437abe8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Order List.exe.437abe8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.MSBuild.exe.404b34f.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.MSBuild.exe.404b34f.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.504687984.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.504506508.0000000006D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.500969666.0000000003FD6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.504550437.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.504188143.00000000065B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.504614903.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.504566226.0000000006DC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.503067769.0000000005510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.504637714.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.504719426.0000000006E20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.504589888.0000000006DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.496659781.0000000002D01000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.496725291.0000000002D80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.500995543.0000000003FEF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.504402260.0000000006D50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.504820469.0000000006E60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.504524423.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Order List.exe PID: 5776, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Order List.exe PID: 5776, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Order List.exe

Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_018D01A4 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_018D34A1 NtQueryInformationProcess,

Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_018D2E08
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_018D37C8
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_018D04D1
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_018D37B8
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D177A0
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D14648
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D173D0
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D123D8
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D18BF8
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D14B08
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D142E0
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D1B241
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D13218
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D17791
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D11FB0
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D11FA0
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D136D0
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D18E50
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D18E42
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D11678
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D11668
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D15638
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D155E8
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D11D40
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D11D31
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D13D25
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D173C0
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D123C8
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D17B80
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D17B70
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D10AD1
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D10AD8
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D1DAA8
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D12219
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D13209
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D12228
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D11989
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D18838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 18_2_06E72F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 18_2_06E72358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 18_2_06E642EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 18_2_06E646D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 18_2_06E73850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 18_2_02C8E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 18_2_02C8E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 18_2_02C8BBD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 23_2_02E24A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 23_2_02E218C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 23_2_02E22148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 23_2_02E25D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 23_2_02E22133
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 25_2_02D718C0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 25_2_02D75858
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 25_2_02D74580
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 25_2_02D72148
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 25_2_02D72138
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 27_2_031C2370
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 27_2_031C51F9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 27_2_031C18C0

Source: Order List.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AylDGlu.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.18.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.18.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.18.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Order List.exe	Binary or memory string: OriginalFilename vs Order List.exe
Source: Order List.exe, 00000000.00000002.317280023.0000000000F6D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameecofAet.exe. vs Order List.exe
Source: Order List.exe, 00000000.00000002.328357531.00000000080E0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Order List.exe
Source: Order List.exe, 00000000.00000002.328357531.00000000080E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Order List.exe
Source: Order List.exe, 00000000.00000002.326789430.0000000007C30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Order List.exe
Source: Order List.exe, 00000000.00000002.321431263.00000000044C8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs Order List.exe
Source: Order List.exe, 00000000.00000002.327815319.0000000007E90000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Order List.exe

Source: Order List.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 18.2.MSBuild.exe.6df0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6df0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6da0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6da0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.3fde83e.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.3fde83e.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.3d09930.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.3d09930.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6e60000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6e60000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.3d695f0.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.3d695f0.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.3d6dc19.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.3d6dc19.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6de0000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6de0000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.MSBuild.exe.6240000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6240000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6d90000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6d90000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6244629.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6244629.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.40625ae.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.40625ae.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.2d92a08.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.2d92a08.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6de0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6de0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.2d92a08.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.2d92a08.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.MSBuild.exe.6e20000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6e20000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6e60000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6e60000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6e10000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6e10000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.405417e.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.405417e.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.2d442cc.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.2d442cc.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.3fde83e.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.3fde83e.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6da0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6da0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.65b0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.65b0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.2d442cc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.2d442cc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6db0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6db0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6e10000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6e10000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.2da7044.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.2da7044.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.MSBuild.exe.6d50000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6d50000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6dd0000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6dd0000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.3d09930.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.3d09930.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6e2e8a4.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6e2e8a4.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.40625ae.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.40625ae.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6dd0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6dd0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6df0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6df0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6db0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6db0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6dc0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6dc0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.2daca7c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.2daca7c.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.MSBuild.exe.5510000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.5510000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.405417e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.405417e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6240000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6240000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6e20000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6e20000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.3d695f0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.3d695f0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.65b0000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.65b0000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order List.exe.437abe8.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Order List.exe.437abe8.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order List.exe.437abe8.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.MSBuild.exe.404b34f.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.404b34f.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6d50000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6d50000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.6e24c9f.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.6e24c9f.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.2daca7c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.2daca7c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.2d34708.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.2d34708.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.2d34708.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.MSBuild.exe.3d181d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.3d181d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.3d0e5cf.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.3d0e5cf.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order List.exe.437abe8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Order List.exe.437abe8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.MSBuild.exe.404b34f.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.MSBuild.exe.404b34f.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.MSBuild.exe.404b34f.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.504687984.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.504687984.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.504506508.0000000006D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.504506508.0000000006D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.500969666.0000000003FD6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.504550437.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.504550437.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.504188143.00000000065B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.504188143.00000000065B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.504614903.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.504614903.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.504566226.0000000006DC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.504566226.0000000006DC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.503067769.0000000005510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.503067769.0000000005510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.504637714.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.504637714.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.504719426.0000000006E20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.504719426.0000000006E20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.504589888.0000000006DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.504589888.0000000006DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.496659781.0000000002D01000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.496725291.0000000002D80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.500995543.0000000003FEF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.504402260.0000000006D50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.504402260.0000000006D50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.504820469.0000000006E60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.504820469.0000000006E60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.504524423.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.504524423.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: Order List.exe PID: 5776, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Order List.exe PID: 5776, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: Order List.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: AylDGlu.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: dhcpmon.exe.18.dr, Microsoft.Build/Shared/TaskLoader.cs	Task registration methods: 'CreateTask'
Source: dhcpmon.exe.18.dr, Microsoft.Build/CommandLine/OutOfProcTaskHostNode.cs	Task registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
Source: dhcpmon.exe.18.dr, Microsoft.Build/BackEnd/TaskParameter.cs	Task registration methods: 'CreateNewTaskItemFrom'
Source: dhcpmon.exe.18.dr, Microsoft.Build/Shared/RegisteredTaskObjectCacheBase.cs	Task registration methods: '.cctor', 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', '.ctor', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'

Source: 25.0.dhcpmon.exe.a10000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 25.0.dhcpmon.exe.a10000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
Source: 25.0.dhcpmon.exe.a10000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 25.0.dhcpmon.exe.a10000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 25.0.dhcpmon.exe.a10000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.18.dr, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.18.dr, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 25.2.dhcpmon.exe.a10000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 25.2.dhcpmon.exe.a10000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.18.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.18.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
Source: dhcpmon.exe.18.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 25.2.dhcpmon.exe.a10000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 25.2.dhcpmon.exe.a10000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
Source: 25.2.dhcpmon.exe.a10000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.cs	Security API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)

Source: dhcpmon.exe	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: dhcpmon.exe	Binary or memory string: *.sln

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/17@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\Order List.exe

File created: C:\Users\user\AppData\Roaming\AylDGlu.exe

Jump to behavior

Source: C:\Users\user\Desktop\Order List.exe	Mutant created: \Sessions\1\BaseNamedObjects\kOZZvLwy
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{1b30e380-3e9d-40b0-8d35-d1fb4c649239}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4472:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4692:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_01

Source: C:\Users\user\Desktop\Order List.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5BCE.tmp

Jump to behavior

Source: Order List.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order List.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Order List.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order List.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Order List.exe

File read: C:\Users\user\Desktop\Order List.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order List.exe 'C:\Users\user\Desktop\Order List.exe'
Source: C:\Users\user\Desktop\Order List.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AylDGlu' /XML 'C:\Users\user\AppData\Local\Temp\tmp5BCE.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order List.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Users\user\Desktop\Order List.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6DFE.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp71A9.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order List.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AylDGlu' /XML 'C:\Users\user\AppData\Local\Temp\tmp5BCE.tmp'
Source: C:\Users\user\Desktop\Order List.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Users\user\Desktop\Order List.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6DFE.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp71A9.tmp'

Source: C:\Users\user\Desktop\Order List.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Order List.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Order List.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order List.exe

Static file information: File size 1167872 > 1048576

Source: Order List.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Order List.exe

Unpacked PE file: 0.2.Order List.exe.e50000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Order List.exe

Unpacked PE file: 0.2.Order List.exe.e50000.0.unpack

Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_00E55FFC push 00000057h; iretd
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_00E55241 pushfd ; iretd
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_018D7CCC pushfd ; ret
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D1A0D8 push 0000006Dh; retf
Source: C:\Users\user\Desktop\Order List.exe	Code function: 0_2_07D1A01D push edx; iretd
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 25_2_02D75578 push FFFFFF8Bh; iretd

Source: initial sample	Static PE information: section name: .text entropy: 7.42920521019
Source: initial sample	Static PE information: section name: .text entropy: 7.42920521019

Source: C:\Users\user\Desktop\Order List.exe	File created: C:\Users\user\AppData\Roaming\AylDGlu.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\Order List.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AylDGlu' /XML 'C:\Users\user\AppData\Local\Temp\tmp5BCE.tmp'

Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order List.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match

File source: Process Memory Space: Order List.exe PID: 5776, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Order List.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: foregroundWindowGot 445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: foregroundWindowGot 582

Source: C:\Users\user\Desktop\Order List.exe TID: 5720	Thread sleep time: -59000s >= -30000s
Source: C:\Users\user\Desktop\Order List.exe TID: 5480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1556	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5264	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5804	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1000	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Order List.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: Order List.exe, 00000000.00000002.336442627.000000000A002000.00000002.00000001.sdmp	Binary or memory string: =Qemuy}
Source: Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\Order List.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Order List.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Order List.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: dhcpmon.exe.18.dr, Microsoft.Build/Shared/NativeMethodsShared.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 25.2.dhcpmon.exe.a10000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 25.0.dhcpmon.exe.a10000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Order List.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Order List.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\Desktop\Order List.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\Desktop\Order List.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000
Source: C:\Users\user\Desktop\Order List.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000
Source: C:\Users\user\Desktop\Order List.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B42008

Source: C:\Users\user\Desktop\Order List.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AylDGlu' /XML 'C:\Users\user\AppData\Local\Temp\tmp5BCE.tmp'
Source: C:\Users\user\Desktop\Order List.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Users\user\Desktop\Order List.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6DFE.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp71A9.tmp'

Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Users\user\Desktop\Order List.exe VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Order List.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation

Source: C:\Users\user\Desktop\Order List.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 18.2.MSBuild.exe.3d695f0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.3d6dc19.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.6240000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.6244629.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.6240000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.3d695f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order List.exe.437abe8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order List.exe.437abe8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.500557956.0000000003D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.496659781.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order List.exe PID: 5776, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Order List.exe, 00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 18.2.MSBuild.exe.3d695f0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.3d6dc19.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.6240000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.6244629.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.6240000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.MSBuild.exe.3d695f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order List.exe.437abe8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order List.exe.437abe8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.500557956.0000000003D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.496659781.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order List.exe PID: 5776, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job11	Process Injection211	Masquerading2	OS Credential Dumping	Security Software Discovery211	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job11	Boot or Logon Initialization Scripts	Scheduled Task/Job11	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection211	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing23	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\AylDGlu.exe	33%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
18.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.2.Order List.exe.e50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
18.2.MSBuild.exe.6240000.18.unpack	100%	Avira	TR/NanoCore.fadte	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.jiyu-kobo.co.jp/://w	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/u_	0%	Avira URL Cloud	safe
http://www.fontbureau.comI.TTF	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.htmlBSZeai	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnU	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/fr-f	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.urwpp.deFr	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.urwpp.depS	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
gintex.ddns.net	0%	Avira URL Cloud	safe
http://www.fontbureau.comcom	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/c_	0%	Avira URL Cloud	safe
http://www.fontbureau.comrsiv	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.fontbureau.comtuF	0%	Avira URL Cloud	safe
79.134.225.115	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/j_	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/R	0%	URL Reputation	safe
http://www.fontbureau.comFc_	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/W	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/F_var	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/-_	0%	Avira URL Cloud	safe
http://www.urwpp.deF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/c_	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/F_var	0%	Avira URL Cloud	safe
http://www.fontbureau.commito	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.comd.F	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Norm-_	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/ww.mQ_aar	0%	Avira URL Cloud	safe
http://www.fontbureau.comituF	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/al	0%	Avira URL Cloud	safe
http://www.fontbureau.comoitu	0%	URL Reputation	safe
http://www.founder.com.cn/cn-	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comce	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/j_	0%	Avira URL Cloud	safe
http://www.fontbureau.comc_	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
gintex.ddns.net	true	Avira URL Cloud: safe	unknown
79.134.225.115	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.jiyu-kobo.co.jp/://w	Order List.exe, 00000000.00000003.230864466.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/u_	Order List.exe, 00000000.00000003.229661302.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comI.TTF	Order List.exe, 00000000.00000003.233697595.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false		high
http://www.ascendercorp.com/typedesigners.htmlBSZeai	Order List.exe, 00000000.00000003.231082460.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnU	Order List.exe, 00000000.00000003.229044381.00000000065D0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/fr-f	Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false		high
http://www.urwpp.deFr	Order List.exe, 00000000.00000003.233697595.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.depS	Order List.exe, 00000000.00000003.233697595.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comcom	Order List.exe, 00000000.00000003.233549043.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/	Order List.exe, 00000000.00000003.233049319.00000000065F0000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	Order List.exe, 00000000.00000003.230019994.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/c_	Order List.exe, 00000000.00000003.231136881.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comrsiv	Order List.exe, 00000000.00000003.233495791.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de	Order List.exe, 00000000.00000003.232095762.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comtuF	Order List.exe, 00000000.00000003.233049319.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Order List.exe, 00000000.00000002.318116595.0000000003271000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com.TTF	Order List.exe, 00000000.00000003.233495791.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0/j_	Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Order List.exe, 00000000.00000003.233495791.00000000065F0000.00000004.00000001.sdmp, Order List.exe, 00000000.00000003.233049319.00000000065F0000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/	Order List.exe, 00000000.00000003.234322373.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comF	Order List.exe, 00000000.00000003.233049319.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://github.com/seungyup26/minulazer	Order List.exe, Order List.exe, 00000000.00000002.317154586.0000000000F01000.00000002.00020000.sdmp	false		high
http://www.jiyu-kobo.co.jp/R	Order List.exe, 00000000.00000003.230341333.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comFc_	Order List.exe, 00000000.00000003.233049319.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.galapagosdesign.com/W	Order List.exe, 00000000.00000003.234322373.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/F_var	Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/-_	Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deF	Order List.exe, 00000000.00000003.232030285.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/c_	Order List.exe, 00000000.00000003.229661302.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/F_var	Order List.exe, 00000000.00000003.234322373.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.commito	Order List.exe, 00000000.00000003.236188400.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp, Order List.exe, 00000000.00000003.231136881.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	Order List.exe, 00000000.00000003.232385317.00000000065F4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd	Order List.exe, 00000000.00000003.233549043.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.come.com	Order List.exe, 00000000.00000003.232906283.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd.F	Order List.exe, 00000000.00000003.232385317.00000000065F4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/	Order List.exe, 00000000.00000003.228530300.00000000065D5000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Norm-_	Order List.exe, 00000000.00000003.229784102.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/ww.mQ_aar	Order List.exe, 00000000.00000003.229661302.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comituF	Order List.exe, 00000000.00000003.233495791.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Order List.exe, 00000000.00000003.228566860.00000000065D2000.00000004.00000001.sdmp, Order List.exe, 00000000.00000003.229044381.00000000065D0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comf	Order List.exe, 00000000.00000003.233495791.00000000065F0000.00000004.00000001.sdmp	false		unknown
http://www.jiyu-kobo.co.jp/al	Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comoitu	Order List.exe, 00000000.00000003.236577292.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn-	Order List.exe, 00000000.00000003.229044381.00000000065D0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comm	Order List.exe, 00000000.00000003.236577292.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Order List.exe, 00000000.00000003.230120834.00000000065F0000.00000004.00000001.sdmp, Order List.exe, 00000000.00000003.230341333.00000000065F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Order List.exe, 00000000.00000002.323589073.0000000006730000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comce	Order List.exe, 00000000.00000003.233495791.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/j_	Order List.exe, 00000000.00000003.229784102.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comc_	Order List.exe, 00000000.00000003.233466801.00000000065F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.115	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457798
Start date:	02.08.2021
Start time:	10:36:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 36s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Order List.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@20/17@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.2% (good quality ratio 1.5%) Quality average: 36.1% Quality standard deviation: 32%
HCA Information:	Successful, ratio: 93% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 13.88.21.125, 104.42.151.234, 23.211.6.115, 23.211.4.86, 20.82.210.154, 40.112.88.60, 173.222.108.226, 173.222.108.210, 20.82.209.183, 80.67.82.235, 80.67.82.211, 23.203.69.124 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, e12564.dspb.akamaiedge.net, wildcard.weather.microsoft.com.edgekey.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:37:45	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" s>$(Arg0)
10:37:48	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
10:37:49	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.115	fu.exe	Get hash	malicious	Browse
	Purchase Order- #020521_pdf.exe	Get hash	malicious	Browse
	MT TT103-SWIFT_PDF.exe	Get hash	malicious	Browse
	Purchase Order-103667.pdf.exe	Get hash	malicious	Browse
	INQ-TR-04-21-RFQ.exe	Get hash	malicious	Browse
	PO#040221-INQ.exe	Get hash	malicious	Browse
	MrZNctz1uR.exe	Get hash	malicious	Browse
	168900#.exe	Get hash	malicious	Browse
	ORDER-PO29394934.exe	Get hash	malicious	Browse
	ORDER-PO020043.exe	Get hash	malicious	Browse
	ORDER-9298PO3484.exe	Get hash	malicious	Browse
	PO-ORDER20034993.exe	Get hash	malicious	Browse
	ORDER-PURCHASE.exe	Get hash	malicious	Browse
	1571088388.doc	Get hash	malicious	Browse
	RFQ Acknowledgement Form-decrypted.doc	Get hash	malicious	Browse
	RFQ NO. 1118295-decrypted.doc	Get hash	malicious	Browse
	p.msi	Get hash	malicious	Browse
	mbq8XJ1u9C.rtf	Get hash	malicious	Browse
	mbq8XJ1u9C.rtf	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	RFQ 217563.exe	Get hash	malicious	Browse	79.134.225.116
	ORDER CONFIRMATION - 5309,pdf.exe	Get hash	malicious	Browse	79.134.225.76
	y7DZJshX9j.exe	Get hash	malicious	Browse	79.134.225.44
	SQycD6hL4Y.exe	Get hash	malicious	Browse	79.134.225.12
	TENDER INQUIRY REQUIREMENTS.exe	Get hash	malicious	Browse	79.134.225.95
	xwcTd7Kh9O.exe	Get hash	malicious	Browse	79.134.225.16
	RA1_20210729.exe	Get hash	malicious	Browse	79.134.225.98
	spworks.msi	Get hash	malicious	Browse	79.134.225.73
	spworks.msi	Get hash	malicious	Browse	79.134.225.73
	Request For Quotation.xlsx	Get hash	malicious	Browse	79.134.225.16
	Faktura-835382925.exe	Get hash	malicious	Browse	79.134.225.73
	Order List.gz.exe	Get hash	malicious	Browse	79.134.225.100
	doc_18000476456499946534.exe	Get hash	malicious	Browse	79.134.225.44
	Bh8aCXgJx4.exe	Get hash	malicious	Browse	79.134.225.22
	Resumen detallado del proveedor de 1302640 de solicitud de presupuesto.exe	Get hash	malicious	Browse	79.134.225.8
	Investment1FZELtd.exe	Get hash	malicious	Browse	79.134.225.35
	KRooWcCysc.exe	Get hash	malicious	Browse	79.134.225.25
	Request price for partsDP35212202122000.exe	Get hash	malicious	Browse	79.134.225.44
	change of bank account.exe	Get hash	malicious	Browse	79.134.225.44
	partsDP35212202122000.exe	Get hash	malicious	Browse	79.134.225.44

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	allcrhfJER.exe	Get hash	malicious	Browse
	quotation.exe	Get hash	malicious	Browse
	HSBC.exe	Get hash	malicious	Browse
	f026ae3a33ea7c54bcff959e9bdd2e60.exe	Get hash	malicious	Browse
	HUMVC_039873637892OIHGDHJZ.exe	Get hash	malicious	Browse
	HSBC Swift.exe	Get hash	malicious	Browse
	Purchase Order.exe	Get hash	malicious	Browse
	Contract05072157393.exe	Get hash	malicious	Browse
	19495C90691E8B6EEF5D55D50B9D76AE6CEB5629D6C08.exe	Get hash	malicious	Browse
	PO# 6042089404900 & PAYMENT DETAILSpdf.exe	Get hash	malicious	Browse
	SOA.exe	Get hash	malicious	Browse
	Quotation Price - Double R Trading b.v.exe	Get hash	malicious	Browse
	QTN TECHN 80654.exe	Get hash	malicious	Browse
	Nizi International S.A. #New Order.exe	Get hash	malicious	Browse
	DHL Shipment Documents.exe	Get hash	malicious	Browse
	27bd034c36964c455e2b2ad6b264561f.exe	Get hash	malicious	Browse
	quote #2063 almaco.exe	Get hash	malicious	Browse
	ConsoleSniffer v4.1 installer.exe	Get hash	malicious	Browse
	jtH33Uljkz.exe	Get hash	malicious	Browse
	quote #60123.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	261728
Entropy (8bit):	6.1750840449797675
Encrypted:	false
SSDEEP:	3072:Mao0QHGUQWWimj9q/NLpj/WWqvAw2XpFU4rwOe4ubZSif02RFi/x2uv9FeP:boZTTWxxqVpqWVRXfr802biprVu
MD5:	D621FD77BD585874F9686D3A76462EF1
SHA1:	ABCAE05EE61EE6292003AABD8C80583FA49EDDA2
SHA-256:	2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
SHA-512:	2D85A81D708ECC8AF9A1273143C94DA84E632F1E595E22F54B867225105A1D0A44F918F0FAE6F1EB15ECF69D75B6F4616699776A16A2AA8B5282100FD15CA74C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: allcrhfJER.exe, Detection: malicious, Browse Filename: quotation.exe, Detection: malicious, Browse Filename: HSBC.exe, Detection: malicious, Browse Filename: f026ae3a33ea7c54bcff959e9bdd2e60.exe, Detection: malicious, Browse Filename: HUMVC_039873637892OIHGDHJZ.exe, Detection: malicious, Browse Filename: HSBC Swift.exe, Detection: malicious, Browse Filename: Purchase Order.exe, Detection: malicious, Browse Filename: Contract05072157393.exe, Detection: malicious, Browse Filename: 19495C90691E8B6EEF5D55D50B9D76AE6CEB5629D6C08.exe, Detection: malicious, Browse Filename: PO# 6042089404900 & PAYMENT DETAILSpdf.exe, Detection: malicious, Browse Filename: SOA.exe, Detection: malicious, Browse Filename: Quotation Price - Double R Trading b.v.exe, Detection: malicious, Browse Filename: QTN TECHN 80654.exe, Detection: malicious, Browse Filename: Nizi International S.A. #New Order.exe, Detection: malicious, Browse Filename: DHL Shipment Documents.exe, Detection: malicious, Browse Filename: 27bd034c36964c455e2b2ad6b264561f.exe, Detection: malicious, Browse Filename: quote #2063 almaco.exe, Detection: malicious, Browse Filename: ConsoleSniffer v4.1 installer.exe, Detection: malicious, Browse Filename: jtH33Uljkz.exe, Detection: malicious, Browse Filename: quote #60123.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z.........."...0..\|...B......n.... ........@.. ....................................`.....................................O........>..............`>.......................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B................P.......H.......8)...................\|..........................................{.......v.(=....r...p({...-..+..}........0..%........(....-......(z.....&..}..............................0..5........(....-...-.r+..ps>...z.....i(z.....&..}......................%......>....(?...(....N..(@....oA...(....:...(B...(....:...(C...(....*....(........0..G........(....,....(....-...}......r...p(x...&.(v.....}......&..}....................7.......0..f........-.r7..ps>...z .....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	841
Entropy (8bit):	5.356220854328477
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoIvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHwvEHxDqHj
MD5:	486580834B084C92AE1F3866166C9C34
SHA1:	C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF
SHA-256:	65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB
SHA-512:	2C54B638A52AA87F47CAB50859EFF98F07DA02993A596686B5617BA99E73ABFCD104F0F33209E24AFB32E66B4B8A225D4DB2CC79631540C21E7E8C4573DFD457
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order List.exe.log Download File
Process:	C:\Users\user\Desktop\Order List.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
MD5:	B666A4404B132B2BF6C04FBF848EB948
SHA1:	D2EFB3D43F8B8806544D3A47F7DAEE8534981739
SHA-256:	7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
SHA-512:	00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1037
Entropy (8bit):	5.371216502395632
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7KvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHhAHKzvKvEHxD0
MD5:	C7F28B87C2CAD111D929CB9A0FF822F8
SHA1:	C2CF9E7A3F6EFD9000FE76EBE54E4E9AE5754267
SHA-256:	D1B02C20EACF464229AB063FA947A525E2ED7772259A8F70C7205DC13599EAE6
SHA-512:	E0F35874E02AB672CFF0553A0DA0864DAB14C05733D06395E4D0C9CDFC6F445E940310F8D01E3E1B28895F636DFBC1F510E103D1C46818400BA4E7371D8F254D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Temp\tmp5BCE.tmp Download File
Process:	C:\Users\user\Desktop\Order List.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1644
Entropy (8bit):	5.165156184375511
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB9tn:cbhC7ZlNQF/rydbz9I3YODOLNdq3V
MD5:	3813C1B0AF635F5B444709655B411776
SHA1:	E53CAFA0ED3C230E932B3492E6FA98305C565A14
SHA-256:	2015BA2920185ACC6B27194B623BC7211FA93BAE40C7CE73DD315B8EC016A8A2
SHA-512:	5889042C324AABC2A4FE3F089A467B63928C3D002B6B065323425EFB6A66A73F18765EC81E89D6281DA8E201F1FC8240995E4E83A03691CE61203E202DBF6212
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Local\Temp\tmp6DFE.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.137611098420233
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0moxtn:cbk4oL600QydbQxIYODOLedq3Zoj
MD5:	3E2B26ED8B75AE83A269595180E84EF6
SHA1:	D30A0335FCCE406BCA8BA5764288235E6192F608
SHA-256:	108BE30AEB8EB31C185A39A6726F26DACBC4E4124951C61A29ADE4B7038C71EA
SHA-512:	B6981C68FCB886CC8379A068B96931B9D4F5CC5AA9BDC467E36C4168FE6C5273A2A84D8850B12C11703EC03AC6B1F1950D1E669EFCB59FC2402CE4BBA9DC03D3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp71A9.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\AylDGlu.exe Download File
Process:	C:\Users\user\Desktop\Order List.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1167872
Entropy (8bit):	6.908581539026972
Encrypted:	false
SSDEEP:	12288:hMLiJXfXUy8jmk63yoPSaEwvguKt+lCNkogRbHa1U/Fnmb68bEtFqTNmqUQzBRMo:iiwSClPuKtQoWbHWI/024TN+QzrMpnm
MD5:	E2893188B7E7D6F19581A7981C2A0A75
SHA1:	6A7A3D1ECB2175B53FB98974220F15EC6A1545CF
SHA-256:	09B6F40CF52BDE38B03CBF49A02E40370914AACFE727CDA9D6D9002CCE5DEBEB
SHA-512:	E970D0693A37412F3DC0564298768C9AA105D44B5BC5017F280A7FD3A525181AF06D0404F1DED2AABF10F85B6D6812FB189323FABBFDE27BA8CC63A3B787449F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0......>.......... ........@.. ....................... ............@.................................x...S........;........................................................................... ............... ..H............text....... ...................... ..`.rsrc....;.......<..................@..@.reloc..............................@..B........................H...........`...........H~..............................................0..<.......(.... _.73 .O.Na%..^E................+.(..... .R..Z ..i.a+.*.0..U.......r...p. ..U. K.B.a%...^E................................C.......S...8....r...p(..... ...Z ck"\|a+........s....(....%.(.....(.... ..{.+..(.... .%.8u....r...p(....(....,. B.q.%+. .2..%&. ...Za8G....r...p(....(....,. ..J.%+. ...%&. ..{oZa8....(..... .x..8.....(....(....rC..p(....-. ..C%+. .d.f%&. ..-.Za8.....,. ....%+. .V.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:xj:J
MD5:	8E9918AA34A4FC689DFB85A6EE58791E
SHA1:	E92F1026D08335FDC10AE043ED70C8C4ACA11E36
SHA-256:	F5BDA608F20CF1127744E7E62383FD2444872CC21ACA5C9773F346EADC4ED55E
SHA-512:	C66E7BED8D8C726607A225A88B8A7E5C1999FBA60915C9DF49F5F6140E8FC32B6481E2F041AF51DC095E17CAB4B819B42E7B47004742C7737DE6DE17ECBFB9CE
Malicious:	true
Preview:	c.'<.U.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVnXygY6oRDT6P2bfVn1:RzWDT62DWDT621
MD5:	4315325323A62DE913E5CCD153817BCE
SHA1:	8B38155CD8ACB20BBA0C2A8AF02BFD35B15221A8
SHA-256:	E0C2085D878FDF53CD7D8F0AA9F07490802C51FC3C14A52B6FEA96AD0743C838
SHA-512:	B5036A6CD4852CEBCA86F588D94B9D58B63EB07B2F4DEBD38D5E1BE68B0BB62F82FA239673B6C08F432A28DD50E1D15773DC3738251BD2F9959F1255D72745EB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.887726803973036
Encrypted:	false
SSDEEP:	3:oMty8WddSJ8:oMLW6C
MD5:	6ECAFC0490DAB08E4A288E0042B6B613
SHA1:	4A4529907588505FC65CC9933980CFE6E576B3D6
SHA-256:	DC5F76FBF44B3E6CDDC14EA9E5BB9B6BD3A955197FE13F33F7DDA7ECC08E79E0
SHA-512:	7DA2B02627A36C8199814C250A1FBD61A9C18E098F8D691C11D75044E7F51DBD52C31EC2E1EA8CDEE5077ADCCB8CD247266F191292DB661FE7EA1B613FC646F8
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	298
Entropy (8bit):	4.943030742860529
Encrypted:	false
SSDEEP:	6:zx3M1tFAbQtU1R30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13I30ZMt9BFN+QdCT2UftCM+
MD5:	6A9888952541A41F033EB114C24DC902
SHA1:	41903D7C8F31013C44572E09D97B9AAFBBCE77E6
SHA-256:	41A61D0084CD7884BEA1DF02ED9213CB8C83F4034F5C8156FC5B06D6A3E133CE
SHA-512:	E6AC898E67B4052375FDDFE9894B26D504A7827917BF3E02772CFF45C3FA7CC5E0EFFDC701D208E0DB89F05E42F195B1EC890F316BEE5CB8239AB45444DAA65E
Malicious:	false
Preview:	Microsoft (R) Build Engine version 4.7.3056.0..[Microsoft .NET Framework, version 4.0.30319.42000]..Copyright (C) Microsoft Corporation. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.908581539026972
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Order List.exe
File size:	1167872
MD5:	e2893188b7e7d6f19581a7981c2a0a75
SHA1:	6a7a3d1ecb2175b53fb98974220f15ec6a1545cf
SHA256:	09b6f40cf52bde38b03cbf49a02e40370914aacfe727cda9d6d9002cce5debeb
SHA512:	e970d0693a37412f3dc0564298768c9aa105d44b5bc5017f280a7fd3a525181af06d0404f1ded2aabf10f85b6d6812fb189323fabbfde27ba8cc63a3b787449f
SSDEEP:	12288:hMLiJXfXUy8jmk63yoPSaEwvguKt+lCNkogRbHa1U/Fnmb68bEtFqTNmqUQzBRMo:iiwSClPuKtQoWbHWI/024TN+QzrMpnm
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0......>........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	e8ccd8d898ac84b0

Static PE Info

General
Entrypoint:	0x4db1ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6107AA90 [Mon Aug 2 08:19:28 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdb178	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xdc000	0x43b90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x120000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd91d4	0xd9200	False	0.722661872121	data	7.42920521019	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xdc000	0x43b90	0x43c00	False	0.06349818381	data	3.71639937012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x120000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xdc1f0	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xdc658	0x988	data
RT_ICON	0xdcfe0	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 328833692, next used block 110400919
RT_ICON	0xde088	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xe0630	0x3eff8	data
RT_GROUP_ICON	0x11f628	0x4c	data
RT_VERSION	0x11f674	0x330	data
RT_MANIFEST	0x11f9a4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Microsoft 2015
Assembly Version	1.0.0.0
InternalName	ecofAet.exe
FileVersion	1.0.0.0
CompanyName	Microsoft
LegalTrademarks
Comments
ProductName	stuSys
ProductVersion	1.0.0.0
FileDescription	stuSys
OriginalFilename	ecofAet.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/02/21-10:37:48.444296	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49720	21180	192.168.2.5	79.134.225.115

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 10:36:55.545634031 CEST	49694	80	192.168.2.5	93.184.220.29
Aug 2, 2021 10:37:45.966896057 CEST	49679	80	192.168.2.5	8.253.95.249
Aug 2, 2021 10:37:45.986520052 CEST	80	49679	8.253.95.249	192.168.2.5
Aug 2, 2021 10:37:45.986632109 CEST	49679	80	192.168.2.5	8.253.95.249
Aug 2, 2021 10:37:47.457376003 CEST	80	49677	93.184.220.29	192.168.2.5
Aug 2, 2021 10:37:47.457555056 CEST	49677	80	192.168.2.5	93.184.220.29
Aug 2, 2021 10:37:47.465976954 CEST	49681	443	192.168.2.5	23.211.5.146
Aug 2, 2021 10:37:47.466259003 CEST	49682	80	192.168.2.5	93.184.220.29
Aug 2, 2021 10:37:47.882853031 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:48.094882965 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:48.095026970 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:48.444295883 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:48.709353924 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:48.921909094 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:49.019455910 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.060343027 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:49.174405098 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.174550056 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:49.389699936 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.451085091 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:49.676028013 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:49.949367046 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.991055012 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.992948055 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.993057966 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.993128061 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:49.993216991 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.993278027 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.993304968 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:49.994165897 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.994411945 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.994455099 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.994489908 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:49.994517088 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.994568110 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:49.994637966 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:49.995371103 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.176512003 CEST	49692	80	192.168.2.5	104.18.25.243
Aug 2, 2021 10:37:50.176589966 CEST	49691	80	192.168.2.5	93.184.220.29
Aug 2, 2021 10:37:50.212831974 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.213325024 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.213346958 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.213428974 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.214587927 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.214612961 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.214664936 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.215554953 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.215603113 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.215656996 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.216420889 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.216478109 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.216509104 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.217273951 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.217338085 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.217410088 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.219135046 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.219177008 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.219208956 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.219480991 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.219541073 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.219602108 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.220336914 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.220407009 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.220439911 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.221250057 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.221364975 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.221431017 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.222332954 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.222403049 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.432578087 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.433280945 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.433357000 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.433420897 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.437311888 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.437355042 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.437448025 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.438529015 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.438610077 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.438766956 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.439344883 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.439511061 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.439573050 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.440337896 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.440414906 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.441375971 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.441415071 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.441551924 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.441608906 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.443027973 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.443105936 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.443250895 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.443310976 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.443370104 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.443438053 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.443548918 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.443741083 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.443804026 CEST	49720	21180	192.168.2.5	79.134.225.115
Aug 2, 2021 10:37:50.444339991 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.444367886 CEST	21180	49720	79.134.225.115	192.168.2.5
Aug 2, 2021 10:37:50.444407940 CEST	49720	21180	192.168.2.5	79.134.225.115

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 10:36:52.696764946 CEST	54795	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:36:52.721476078 CEST	53	54795	8.8.8.8	192.168.2.5
Aug 2, 2021 10:36:52.951451063 CEST	49557	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:36:52.978857994 CEST	53	49557	8.8.8.8	192.168.2.5
Aug 2, 2021 10:36:54.170504093 CEST	61733	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:36:54.199134111 CEST	53	61733	8.8.8.8	192.168.2.5
Aug 2, 2021 10:36:55.189388990 CEST	65447	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:36:55.218738079 CEST	53	65447	8.8.8.8	192.168.2.5
Aug 2, 2021 10:36:55.467132092 CEST	52441	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:36:55.503940105 CEST	53	52441	8.8.8.8	192.168.2.5
Aug 2, 2021 10:36:56.637178898 CEST	62176	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:36:56.662166119 CEST	53	62176	8.8.8.8	192.168.2.5
Aug 2, 2021 10:36:57.799081087 CEST	59596	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:36:57.831871033 CEST	53	59596	8.8.8.8	192.168.2.5
Aug 2, 2021 10:36:58.974387884 CEST	65296	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:36:59.000518084 CEST	53	65296	8.8.8.8	192.168.2.5
Aug 2, 2021 10:37:00.451422930 CEST	63183	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:37:00.480938911 CEST	53	63183	8.8.8.8	192.168.2.5
Aug 2, 2021 10:37:01.850739002 CEST	60151	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:37:01.879838943 CEST	53	60151	8.8.8.8	192.168.2.5
Aug 2, 2021 10:37:03.355778933 CEST	56969	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:37:03.389061928 CEST	53	56969	8.8.8.8	192.168.2.5
Aug 2, 2021 10:37:04.422868013 CEST	55161	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:37:04.447510004 CEST	53	55161	8.8.8.8	192.168.2.5
Aug 2, 2021 10:37:20.475544930 CEST	54757	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:37:20.510988951 CEST	53	54757	8.8.8.8	192.168.2.5
Aug 2, 2021 10:37:25.976667881 CEST	49992	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:37:26.012877941 CEST	53	49992	8.8.8.8	192.168.2.5
Aug 2, 2021 10:37:45.165153027 CEST	60075	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:37:45.207217932 CEST	53	60075	8.8.8.8	192.168.2.5
Aug 2, 2021 10:37:46.858176947 CEST	55016	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:37:46.893711090 CEST	53	55016	8.8.8.8	192.168.2.5
Aug 2, 2021 10:38:01.684149027 CEST	64345	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:38:01.716814995 CEST	53	64345	8.8.8.8	192.168.2.5
Aug 2, 2021 10:38:05.228482008 CEST	57128	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:38:05.265399933 CEST	53	57128	8.8.8.8	192.168.2.5
Aug 2, 2021 10:38:36.086673021 CEST	54791	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:38:36.119854927 CEST	53	54791	8.8.8.8	192.168.2.5
Aug 2, 2021 10:38:37.729825020 CEST	50463	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:38:37.771148920 CEST	53	50463	8.8.8.8	192.168.2.5
Aug 2, 2021 10:39:08.804861069 CEST	50394	53	192.168.2.5	8.8.8.8
Aug 2, 2021 10:39:08.841943026 CEST	53	50394	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Order List.exe PID: 5776 Parent PID: 5704

General

Start time:	10:36:59
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\Order List.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Order List.exe'
Imagebase:	0xe50000
File size:	1167872 bytes
MD5 hash:	E2893188B7E7D6F19581A7981C2A0A75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.319940301.0000000004211000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.320367563.000000000426A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 1848 Parent PID: 5776

General

Start time:	10:37:40
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AylDGlu' /XML 'C:\Users\user\AppData\Local\Temp\tmp5BCE.tmp'
Imagebase:	0x920000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4472 Parent PID: 1848

General

Start time:	10:37:40
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MSBuild.exe PID: 5564 Parent PID: 5776

General

Start time:	10:37:41
Start date:	02/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x50000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: MSBuild.exe PID: 4988 Parent PID: 5776

General

Start time:	10:37:42
Start date:	02/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x8d0000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.504687984.0000000006E10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.504687984.0000000006E10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.504506508.0000000006D90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.504506508.0000000006D90000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000012.00000002.500969666.0000000003FD6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.493600525.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.504550437.0000000006DB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.504550437.0000000006DB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.500557956.0000000003D5E000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.504188143.00000000065B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.504188143.00000000065B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.504614903.0000000006DE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.504614903.0000000006DE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.504566226.0000000006DC0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.504566226.0000000006DC0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.503662031.0000000006240000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.503067769.0000000005510000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.503067769.0000000005510000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.504637714.0000000006DF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.504637714.0000000006DF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.504719426.0000000006E20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.504719426.0000000006E20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.504589888.0000000006DD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.504589888.0000000006DD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.496659781.0000000002D01000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.496659781.0000000002D01000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000012.00000002.496725291.0000000002D80000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000012.00000002.500995543.0000000003FEF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.504402260.0000000006D50000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.504402260.0000000006D50000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.504820469.0000000006E60000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.504820469.0000000006E60000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.504524423.0000000006DA0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.504524423.0000000006DA0000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	moderate

Analysis Process: schtasks.exe PID: 3100 Parent PID: 4988

General

Start time:	10:37:44
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6DFE.tmp'
Imagebase:	0x920000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4692 Parent PID: 3100

General

Start time:	10:37:44
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 5512 Parent PID: 4988

General

Start time:	10:37:45
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp71A9.tmp'
Imagebase:	0x920000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 1716 Parent PID: 5512

General

Start time:	10:37:45
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: MSBuild.exe PID: 488 Parent PID: 904

General

Start time:	10:37:45
Start date:	02/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0
Imagebase:	0xcb0000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 1012 Parent PID: 488

General

Start time:	10:37:46
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff604460000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exe PID: 5276 Parent PID: 904

General

Start time:	10:37:48
Start date:	02/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0xa10000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Analysis Process: conhost.exe PID: 5284 Parent PID: 5276

General

Start time:	10:37:49
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exe PID: 6080 Parent PID: 3472

General

Start time:	10:37:57
Start date:	02/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xd60000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 3980 Parent PID: 6080

General

Start time:	10:37:58
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Order List.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts