Windows Analysis Report ASGT(Al Sahoo General Trading) - RFQ.exe

Overview

General Information

Sample Name: ASGT(Al Sahoo General Trading) - RFQ.exe
Analysis ID: 483055
MD5: f981ae4dae49248c03dd86b5508ec434
SHA1: 680901b0a898a68ff04cbaafb851e28294d06d03
SHA256: ef45c55d9b3fd183f6c9b4e0359005fa6052fa4155de07129b839056b7cc26e9
Tags: exenanocore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to launch a program with higher privileges
Creates a process in suspended mode (likely to inject code)
Sigma detected: PowerShell Script Run in AppData

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Virustotal: Detection: 34% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Virustotal: Detection: 34% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\myxpcstart.exe Virustotal: Detection: 34% Perma Link
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d4629.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e4e5cf.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e581d4.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fbbf69.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fc819d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fdc7ca.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.632241013.0000000003E41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.621578640.0000000004145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.634690385.00000000057D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.621361246.0000000004009000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.625215508.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.621456573.00000000040A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6928, type: MEMORYSTR
Machine Learning detection for sample
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\myxpcstart.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.unpack Avira: Label: TR/NanoCore.fadte
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000010.00000000.552112608.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000013.00000000.579886617.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000014.00000002.609357349.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.606662276.000000000040C000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.638149839.00000000069B0000.00000004.00020000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.638149839.00000000069B0000.00000004.00020000.sdmp String found in binary or memory: http://google.com
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 00000002.00000002.495641415.0000000005D62000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000002.00000002.497831814.0000000007EAE000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.491718756.0000000004E41000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.620943610.0000000003001000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.491272596.0000000004D01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000002.00000002.497831814.0000000007EAE000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.491718756.0000000004E41000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.619919352.0000000001527000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.com
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.619919352.0000000001527000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: powershell.exe, 00000002.00000002.497982481.0000000007F21000.00000004.00000001.sdmp String found in binary or memory: http://www.microsoft.
Source: AdvancedRun.exe, AdvancedRun.exe, 00000014.00000002.609357349.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.606662276.000000000040C000.00000002.00020000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.623640434.0000000007152000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000002.00000002.495641415.0000000005D62000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.495641415.0000000005D62000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.495641415.0000000005D62000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.497831814.0000000007EAE000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.491718756.0000000004E41000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000003.442288380.0000000005727000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.495641415.0000000005D62000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0C
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d4629.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e4e5cf.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e581d4.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fbbf69.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fc819d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fdc7ca.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.632241013.0000000003E41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.621578640.0000000004145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.634690385.00000000057D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.621361246.0000000004009000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.625215508.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.621456573.00000000040A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6928, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.56b0000.15.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2ed1d4c.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fbbf69.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6930000.20.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69f0000.28.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69b0000.25.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6960000.21.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2ed1d4c.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2ed1d4c.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d4629.16.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a04c9f.29.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.418f996.13.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69f0000.28.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4186b67.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4186b67.12.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.418f996.13.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fc819d.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69d0000.27.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69c0000.26.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a40000.32.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6930000.20.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69b0000.25.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6980000.22.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4186b67.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.67e0000.19.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a00000.30.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e4e5cf.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e4e5cf.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.419ddc6.14.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a00000.30.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69a0000.24.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69d0000.27.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6980000.22.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6990000.23.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a0e8a4.31.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2eaf4a4.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6990000.23.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a40000.32.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.419ddc6.14.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.67e0000.19.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69c0000.26.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e581d4.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e581d4.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2e9fa3c.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2e9fa3c.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2eaf4a4.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2eaf4a4.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fbbf69.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fc819d.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fdc7ca.11.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.638149839.00000000069B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.634473391.00000000056B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.638232760.00000000069D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.638401577.0000000006A00000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.637715725.00000000067E0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.638552630.0000000006A40000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.637951566.0000000006960000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.633168438.000000000412A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.638002422.0000000006980000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.638196142.00000000069C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.638093395.00000000069A0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.632241013.0000000003E41000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.621578640.0000000004145000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.621578640.0000000004145000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.634690385.00000000057D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.621361246.0000000004009000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.621361246.0000000004009000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.630682513.0000000002E62000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.625215508.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.625215508.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.638041979.0000000006990000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.637856242.0000000006930000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.638363567.00000000069F0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.621456573.00000000040A6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.621456573.00000000040A6000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6864, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6864, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6928, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6928, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Uses 32bit PE files
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.56b0000.15.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.56b0000.15.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2ed1d4c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2ed1d4c.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fbbf69.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fbbf69.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6930000.20.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6930000.20.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69f0000.28.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69f0000.28.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69b0000.25.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69b0000.25.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6960000.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6960000.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2ed1d4c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2ed1d4c.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d4629.16.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d4629.16.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a04c9f.29.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a04c9f.29.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.418f996.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.418f996.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69f0000.28.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69f0000.28.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4186b67.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4186b67.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4186b67.12.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.418f996.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.418f996.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fc819d.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fc819d.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69d0000.27.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69d0000.27.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69c0000.26.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69c0000.26.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a40000.32.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a40000.32.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6930000.20.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6930000.20.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69b0000.25.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69b0000.25.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6980000.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6980000.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4186b67.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4186b67.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.67e0000.19.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.67e0000.19.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a00000.30.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a00000.30.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e4e5cf.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e4e5cf.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e4e5cf.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.419ddc6.14.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.419ddc6.14.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a00000.30.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a00000.30.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69a0000.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69a0000.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69d0000.27.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69d0000.27.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6980000.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6980000.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6990000.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6990000.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a0e8a4.31.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a0e8a4.31.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2eaf4a4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2eaf4a4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6990000.23.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6990000.23.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a40000.32.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.6a40000.32.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.419ddc6.14.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.419ddc6.14.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.67e0000.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.67e0000.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69c0000.26.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.69c0000.26.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e581d4.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e581d4.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e581d4.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2e9fa3c.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2e9fa3c.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2eaf4a4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2eaf4a4.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fbbf69.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fc819d.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fdc7ca.11.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.638149839.00000000069B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.638149839.00000000069B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.634473391.00000000056B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.634473391.00000000056B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.638232760.00000000069D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.638232760.00000000069D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.638401577.0000000006A00000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.638401577.0000000006A00000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.637715725.00000000067E0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.637715725.00000000067E0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.638552630.0000000006A40000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.638552630.0000000006A40000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.637951566.0000000006960000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.637951566.0000000006960000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.633168438.000000000412A000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.638002422.0000000006980000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.638002422.0000000006980000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.638196142.00000000069C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.638196142.00000000069C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.638093395.00000000069A0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.638093395.00000000069A0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.632241013.0000000003E41000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.621578640.0000000004145000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.621578640.0000000004145000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.634690385.00000000057D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.634690385.00000000057D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.621361246.0000000004009000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.621361246.0000000004009000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.630682513.0000000002E62000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.625215508.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.625215508.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.638041979.0000000006990000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.638041979.0000000006990000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.637856242.0000000006930000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.637856242.0000000006930000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.638363567.00000000069F0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.638363567.00000000069F0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.621456573.00000000040A6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.621456573.00000000040A6000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6864, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6864, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6928, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6928, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Detected potential crypto function
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 0_2_00C727EE 0_2_00C727EE
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 0_2_00C7AA39 0_2_00C7AA39
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 0_2_01183400 0_2_01183400
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 0_2_011833D0 0_2_011833D0
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 0_2_0118D6D0 0_2_0118D6D0
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 0_2_02E7C134 0_2_02E7C134
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 0_2_02E7E568 0_2_02E7E568
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 0_2_02E7E578 0_2_02E7E578
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 0_2_00C741CE 0_2_00C741CE
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 0_2_00C7532B 0_2_00C7532B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_076F7470 2_2_076F7470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_076F08E0 2_2_076F08E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_076F08D0 2_2_076F08D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_076F3FA0 2_2_076F3FA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F924C0 2_2_07F924C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F9E400 2_2_07F9E400
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F98E08 2_2_07F98E08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F9E400 2_2_07F9E400
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F924B1 2_2_07F924B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F98DF8 2_2_07F98DF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F9BD80 2_2_07F9BD80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F9BD70 2_2_07F9BD70
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 22_2_0004AA39 22_2_0004AA39
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 22_2_000427EE 22_2_000427EE
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 22_2_000441CE 22_2_000441CE
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 22_2_0004532B 22_2_0004532B
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 23_2_001CAA39 23_2_001CAA39
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 23_2_001C27EE 23_2_001C27EE
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 23_2_001C41CE 23_2_001C41CE
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 23_2_001C532B 23_2_001C532B
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 24_2_00A6AA39 24_2_00A6AA39
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 24_2_00A627EE 24_2_00A627EE
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 24_2_02E1E480 24_2_02E1E480
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 24_2_02E1E471 24_2_02E1E471
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 24_2_02E1BBD4 24_2_02E1BBD4
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 24_2_00A6532B 24_2_00A6532B
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 24_2_00A641CE 24_2_00A641CE
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: String function: 0040B550 appears 50 times
Sample file is different than original file name gathered from version info
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Binary or memory string: OriginalFilename vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.619352850.00000000013F0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameBcxcrklejlbndlpralktiwn.dllP vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000003.611379210.0000000007C40000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameConsoleApp18.exeD vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621578640.0000000004145000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWpqukug.dll" vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmp Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Binary or memory string: OriginalFilename vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000000.613256942.0000000000110000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameConsoleApp18.exeD vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Binary or memory string: OriginalFilename vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000000.614885822.0000000000290000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameConsoleApp18.exeD vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Binary or memory string: OriginalFilename vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.638149839.00000000069B0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.638232760.00000000069D0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000000.616518920.0000000000B30000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameConsoleApp18.exeD vs ASGT(Al Sahoo General Trading) - RFQ.exe
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs ASGT(Al Sahoo General Trading) - RFQ.exe
PE file contains strange resources
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: myxpcstart.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ASGT(Al Sahoo General Trading) - RFQ.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Virustotal: Detection: 34%
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File read: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Jump to behavior
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe 'C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe'
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 5352
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6952
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20 Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 5352 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6952 Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 16_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 20_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 20_2_00408FC9
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\myxpcstart.exe Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@18/11@0/1
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 16_2_00401306
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle, 16_2_004095FD
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource, 16_2_0040A33B
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ASGT(Al Sahoo General Trading) - RFQ.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000010.00000000.552112608.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000013.00000000.579886617.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000014.00000002.609357349.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.606662276.000000000040C000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.638149839.00000000069B0000.00000004.00020000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Code function: 0_2_02E7F930 pushfd ; iretd 0_2_02E7F931
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_076F2077 push ebx; retf 2_2_076F207A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F9E238 pushfd ; iretd 2_2_07F9E239
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F9E0C8 push esp; iretd 2_2_07F9E0C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F9DDA9 pushfd ; iretd 2_2_07F9DDAA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F9DC30 pushfd ; iretd 2_2_07F9DC36
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F9CBAC push esp; ret 2_2_07F9CBE1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F9DB80 pushfd ; iretd 2_2_07F9DB82
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07F9DB78 pushfd ; iretd 2_2_07F9DB7A
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_0040B550 push eax; ret 16_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_0040B550 push eax; ret 16_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_0040B50D push ecx; ret 16_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 20_2_0040B550 push eax; ret 20_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 20_2_0040B550 push eax; ret 20_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 20_2_0040B50D push ecx; ret 20_2_0040B51D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 16_2_0040289F
Source: initial sample Static PE information: section name: .text entropy: 7.1425786043
Source: initial sample Static PE information: section name: .text entropy: 7.1425786043
Source: initial sample Static PE information: section name: .text entropy: 7.1425786043
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: \asgt(al sahoo general trading) - rfq.exe
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: \asgt(al sahoo general trading) - rfq.exe
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: \asgt(al sahoo general trading) - rfq.exe
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: \asgt(al sahoo general trading) - rfq.exe
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: \asgt(al sahoo general trading) - rfq.exe
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: \asgt(al sahoo general trading) - rfq.exe
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: \asgt(al sahoo general trading) - rfq.exe Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: \asgt(al sahoo general trading) - rfq.exe Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: \asgt(al sahoo general trading) - rfq.exe Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: \asgt(al sahoo general trading) - rfq.exe Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: \asgt(al sahoo general trading) - rfq.exe Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: \asgt(al sahoo general trading) - rfq.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Jump to dropped file
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\myxpcstart.exe Jump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\myxpcstart.exe Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\myxpcstart.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 16_2_00401306

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 16_2_00408E31
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe TID: 6884 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2896 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7120 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2151 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2301 Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000002.00000002.492725017.000000000511F000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: powershell.exe, 00000002.00000002.492725017.000000000511F000.00000004.00000001.sdmp Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 16_2_0040289F
Enables debug privileges
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Memory written: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Memory written: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Memory written: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe base: 420000 Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Memory written: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Memory written: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe base: CCA008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Memory allocated: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Memory written: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError, 16_2_00401C26
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20 Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Process created: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 5352 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6952 Jump to behavior
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.630682513.0000000002E62000.00000004.00000001.sdmp Binary or memory string: Program ManagerH
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.631993560.0000000002F83000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.630267469.0000000001900000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.630267469.0000000001900000.00000002.00020000.sdmp Binary or memory string: Progman
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.635438706.0000000005FCD000.00000004.00000001.sdmp Binary or memory string: Program Managerram Manager
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.630267469.0000000001900000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.630682513.0000000002E62000.00000004.00000001.sdmp Binary or memory string: Program Managerx
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.630267469.0000000001900000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.639289138.00000000072AC000.00000004.00000001.sdmp Binary or memory string: Program Managerram Manager h

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_076FEEF8 CreateNamedPipeW, 2_2_076FEEF8
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 16_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread, 16_2_0040A272

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d4629.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e4e5cf.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e581d4.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fbbf69.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fc819d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fdc7ca.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.632241013.0000000003E41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.621578640.0000000004145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.634690385.00000000057D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.621361246.0000000004009000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.625215508.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.621456573.00000000040A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6928, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621578640.0000000004145000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.638149839.00000000069B0000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d4629.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e4e5cf.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e581d4.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fbbf69.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fc819d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fdc7ca.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.632241013.0000000003E41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.621578640.0000000004145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.634690385.00000000057D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.621361246.0000000004009000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.625215508.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.621456573.00000000040A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6928, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs