Play interactive tour

Edit tour

Windows Analysis Report 09142021_PDF.vbs

Overview

General Information

Sample Name:	09142021_PDF.vbs
Analysis ID:	483646
MD5:	4a638d451c40bc23491a0c79b6561d29
SHA1:	5caa98e6150e72cff32549541ab937cc952b769c
SHA256:	62e85b9481efe0bb5921277ce40acb236dba44be1bbe8bab2be8068eef10c341
Tags:	NanoCoreRATvbs
Infos:
Most interesting Screenshot:

Detection

Nanocore AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected AgentTesla

Sigma detected: NanoCore

VBScript performs obfuscated calls to suspicious functions

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: MSBuild connects to smtp port

Antivirus detection for dropped file

Yara detected Nanocore RAT

Found malware configuration

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Installs a global keyboard hook

Injects files into Windows application

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

.NET source code contains very large strings

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Java / VBScript file with very long strings (likely obfuscated code)

PE file contains strange resources

Drops PE files

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Internet Provider seen in connection with other malware

Yara detected Credential Stealer

Contains functionality to call native functions

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Contains capabilities to detect virtual machines

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7012 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\09142021_PDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

Notepad.exe (PID: 3664 cmdline: 'C:\Users\user\AppData\Local\Temp\Notepad.exe' MD5: 033B15C82C1F08143DA87E0F4D1AD9BC)

MSBuild.exe (PID: 5480 cmdline: {path} MD5: 88BBB7610152B48C2B3879473B17857E)

Chrome.exe (PID: 5276 cmdline: 'C:\Users\user\AppData\Local\Temp\Chrome.exe' MD5: A9C24A18FBD231939EB608A7A2087A49)

dhcpmon.exe (PID: 6560 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: A9C24A18FBD231939EB608A7A2087A49)

hmltog.exe (PID: 4328 cmdline: 'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe' MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

hmltog.exe (PID: 3728 cmdline: 'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe' MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "de7e01ad-963b-4e14-81aa-08dfb351", "Group": "Do", "Domain1": "sys2021.linkpc.net", "Domain2": "23.94.82.41", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@quanturnvia.com", "Password": "info", "Host": "mail.quanturnvia.com"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Chrome.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Users\user\AppData\Local\Temp\Chrome.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\Users\user\AppData\Local\Temp\Chrome.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Users\user\AppData\Local\Temp\Chrome.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23ba3:$a: NanoCore 0x23bfc:$a: NanoCore 0x23c39:$a: NanoCore 0x23cb2:$a: NanoCore 0x23c05:$b: ClientPlugin 0x23c42:$b: ClientPlugin 0x24540:$b: ClientPlugin 0x2454d:$b: ClientPlugin 0x1b3f2:$e: KeepAlive 0x2408d:$g: LogClientMessage 0x2400d:$i: get_Connected 0x15bd5:$j: #=q 0x15c05:$j: #=q 0x15c41:$j: #=q 0x15c69:$j: #=q 0x15c99:$j: #=q 0x15cc9:$j: #=q 0x15cf9:$j: #=q 0x15d29:$j: #=q 0x15d45:$j: #=q 0x15d75:$j: #=q
0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x109bd:$x1: NanoCore.ClientPluginHost 0x109fa:$x2: IClientNetworkHost 0x1452d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10725:$a: NanoCore 0x10735:$a: NanoCore 0x10969:$a: NanoCore 0x1097d:$a: NanoCore 0x109bd:$a: NanoCore 0x10784:$b: ClientPlugin 0x10986:$b: ClientPlugin 0x109c6:$b: ClientPlugin 0x108ab:$c: ProjectData 0x112b2:$d: DESCrypto 0x18c7e:$e: KeepAlive 0x16c6c:$g: LogClientMessage 0x12e67:$i: get_Connected 0x115e8:$j: #=q 0x11618:$j: #=q 0x11634:$j: #=q 0x11664:$j: #=q 0x11680:$j: #=q 0x1169c:$j: #=q 0x116cc:$j: #=q 0x116e8:$j: #=q
00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x9726d:$x1: NanoCore.ClientPluginHost 0x972aa:$x2: IClientNetworkHost 0x9addd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x96fd5:$a: NanoCore 0x96fe5:$a: NanoCore 0x97219:$a: NanoCore 0x9722d:$a: NanoCore 0x9726d:$a: NanoCore 0x97034:$b: ClientPlugin 0x97236:$b: ClientPlugin 0x97276:$b: ClientPlugin 0x9715b:$c: ProjectData 0x97b62:$d: DESCrypto 0x9f52e:$e: KeepAlive 0x9d51c:$g: LogClientMessage 0x99717:$i: get_Connected 0x97e98:$j: #=q 0x97ec8:$j: #=q 0x97ee4:$j: #=q 0x97f14:$j: #=q 0x97f30:$j: #=q 0x97f4c:$j: #=q 0x97f7c:$j: #=q 0x97f98:$j: #=q
00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10fad:$x1: NanoCore.ClientPluginHost 0x439bd:$x1: NanoCore.ClientPluginHost 0x10fea:$x2: IClientNetworkHost 0x439fa:$x2: IClientNetworkHost 0x14b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4752d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10d15:$a: NanoCore 0x10d25:$a: NanoCore 0x10f59:$a: NanoCore 0x10f6d:$a: NanoCore 0x10fad:$a: NanoCore 0x43725:$a: NanoCore 0x43735:$a: NanoCore 0x43969:$a: NanoCore 0x4397d:$a: NanoCore 0x439bd:$a: NanoCore 0x10d74:$b: ClientPlugin 0x10f76:$b: ClientPlugin 0x10fb6:$b: ClientPlugin 0x43784:$b: ClientPlugin 0x43986:$b: ClientPlugin 0x439c6:$b: ClientPlugin 0x10e9b:$c: ProjectData 0x438ab:$c: ProjectData 0x118a2:$d: DESCrypto 0x442b2:$d: DESCrypto 0x1926e:$e: KeepAlive
00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x493e5:$a: NanoCore 0x4943e:$a: NanoCore 0x4947b:$a: NanoCore 0x494f4:$a: NanoCore 0x5cb9f:$a: NanoCore 0x5cbb4:$a: NanoCore 0x5cbe9:$a: NanoCore 0x75663:$a: NanoCore 0x75678:$a: NanoCore 0x756ad:$a: NanoCore 0x49447:$b: ClientPlugin 0x49484:$b: ClientPlugin 0x49d82:$b: ClientPlugin 0x49d8f:$b: ClientPlugin 0x5c95b:$b: ClientPlugin 0x5c976:$b: ClientPlugin 0x5c9a6:$b: ClientPlugin 0x5cbbd:$b: ClientPlugin 0x5cbf2:$b: ClientPlugin 0x7541f:$b: ClientPlugin 0x7543a:$b: ClientPlugin
00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1ee0d:$x1: NanoCore.ClientPluginHost 0x1ee4a:$x2: IClientNetworkHost 0x13d1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2e95:$a: NanoCore 0x2ea5:$a: NanoCore 0x1edb9:$a: NanoCore 0x1edcd:$a: NanoCore 0x1ee0d:$a: NanoCore 0x2ef4:$b: ClientPlugin 0x1edd6:$b: ClientPlugin 0x1ee16:$b: ClientPlugin 0x1ecfb:$c: ProjectData 0x1f702:$d: DESCrypto 0x1467e:$e: KeepAlive 0x234dc:$g: LogClientMessage 0x12657:$i: get_Connected 0x1203d:$j: #=q 0x1206d:$j: #=q 0x12089:$j: #=q 0x120da:$j: #=q 0x120f6:$j: #=q 0x1211e:$j: #=q 0x1213a:$j: #=q 0x1216a:$j: #=q
0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wscript.exe PID: 7012	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1e8c78:$x1: NanoCore.ClientPluginHost 0x1e8cb5:$x2: IClientNetworkHost 0x1ec3ba:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1f7283:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2c3968:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x45c59f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x467932:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4a6164:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: wscript.exe PID: 7012	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: wscript.exe PID: 7012	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1e8a83:$a: NanoCore 0x1e8a93:$a: NanoCore 0x1e8b08:$a: NanoCore 0x1e8b17:$a: NanoCore 0x1e8c24:$a: NanoCore 0x1e8c38:$a: NanoCore 0x1e8c78:$a: NanoCore 0x1f38ed:$a: NanoCore 0x1f38ff:$a: NanoCore 0x1f393b:$a: NanoCore 0x2bffd2:$a: NanoCore 0x2bffe4:$a: NanoCore 0x2c0020:$a: NanoCore 0x458c09:$a: NanoCore 0x458c1b:$a: NanoCore 0x458c57:$a: NanoCore 0x463f9c:$a: NanoCore 0x463fae:$a: NanoCore 0x463fea:$a: NanoCore 0x4a9702:$a: NanoCore 0x4a9714:$a: NanoCore
Process Memory Space: Notepad.exe PID: 3664	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Notepad.exe PID: 3664	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Chrome.exe PID: 5276	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f44c:$x1: NanoCore.ClientPluginHost 0x3f489:$x2: IClientNetworkHost 0x3d23:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc5b6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4575d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Chrome.exe PID: 5276	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Chrome.exe PID: 5276	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3f132:$a: NanoCore 0x3f142:$a: NanoCore 0x3f1f1:$a: NanoCore 0x3f200:$a: NanoCore 0x3f3f8:$a: NanoCore 0x3f40c:$a: NanoCore 0x3f44c:$a: NanoCore 0x41dc7:$a: NanoCore 0x41dd9:$a: NanoCore 0x41e15:$a: NanoCore 0x14695:$b: ClientPlugin 0x146ba:$b: ClientPlugin 0x14714:$b: ClientPlugin 0x14739:$b: ClientPlugin 0x38a67:$b: ClientPlugin 0x38a74:$b: ClientPlugin 0x38ab1:$b: ClientPlugin 0x38abe:$b: ClientPlugin 0x3a03d:$b: ClientPlugin 0x3a062:$b: ClientPlugin 0x3a0b3:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 6560	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6560	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1911:$a: NanoCore 0x196e:$a: NanoCore 0x19e1:$a: NanoCore 0xaa9d:$a: NanoCore 0xad0b:$a: NanoCore 0xad5e:$a: NanoCore 0xad97:$a: NanoCore 0xae0a:$a: NanoCore 0xba61:$a: NanoCore 0x1b7c2:$a: NanoCore 0x1b7d1:$a: NanoCore 0x1b9c5:$a: NanoCore 0x1b9d7:$a: NanoCore 0x1ba13:$a: NanoCore 0x28ef6:$a: NanoCore 0x2f6d0:$a: NanoCore 0x2f6e3:$a: NanoCore 0x2f715:$a: NanoCore 0x34b32:$a: NanoCore 0x34b45:$a: NanoCore 0x34b77:$a: NanoCore
Process Memory Space: MSBuild.exe PID: 5480	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 5480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.3.wscript.exe.2756be19830.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.3.wscript.exe.2756be19830.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.3.wscript.exe.2756be19830.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.3.wscript.exe.2756be19830.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.dhcpmon.exe.397e43c.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.dhcpmon.exe.397e43c.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.dhcpmon.exe.397e43c.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.2953dc4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.dhcpmon.exe.2953dc4.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.wscript.exe.2756c017c00.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1120d:$x1: NanoCore.ClientPluginHost 0x1124a:$x2: IClientNetworkHost 0x611d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wscript.exe.2756c017c00.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1120d:$x2: NanoCore.ClientPluginHost 0x12846:$s1: PluginCommand 0x1283a:$s2: FileCommand 0x4a8b:$s3: PipeExists 0x6a52:$s4: PipeCreated 0x11237:$s5: IClientLoggingHost
1.2.wscript.exe.2756c017c00.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wscript.exe.2756c017c00.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x111b9:$a: NanoCore 0x111cd:$a: NanoCore 0x1120d:$a: NanoCore 0x111d6:$b: ClientPlugin 0x11216:$b: ClientPlugin 0x110fb:$c: ProjectData 0x11b02:$d: DESCrypto 0x6a7e:$e: KeepAlive 0x158dc:$g: LogClientMessage 0x4a57:$i: get_Connected 0x443d:$j: #=q 0x446d:$j: #=q 0x4489:$j: #=q 0x44da:$j: #=q 0x44f6:$j: #=q 0x451e:$j: #=q 0x453a:$j: #=q 0x456a:$j: #=q 0x45a4:$j: #=q 0x45db:$j: #=q 0x45f7:$j: #=q
7.2.dhcpmon.exe.3979606.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0a7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0d4:$x2: IClientNetworkHost
7.2.dhcpmon.exe.3979606.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0a7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e182:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c1:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3979606.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.3979606.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d05d:$a: NanoCore 0x2d072:$a: NanoCore 0x2d0a7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce19:$b: ClientPlugin 0x2ce34:$b: ClientPlugin
10.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.3.wscript.exe.2756be19830.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.3.wscript.exe.2756be19830.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.3.wscript.exe.2756be19830.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.3.wscript.exe.2756be19830.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.wscript.exe.2756cac70e0.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wscript.exe.2756cac70e0.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.wscript.exe.2756cac70e0.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wscript.exe.2756cac70e0.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.Notepad.exe.3d699d8.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.Notepad.exe.3d699d8.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.Chrome.exe.1e0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.Chrome.exe.1e0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.Chrome.exe.1e0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Chrome.exe.1e0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.dhcpmon.exe.3982a65.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c48:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c75:$x2: IClientNetworkHost
7.2.dhcpmon.exe.3982a65.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c48:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d23:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c62:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3982a65.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.a0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.dhcpmon.exe.a0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.dhcpmon.exe.a0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.a0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.dhcpmon.exe.397e43c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28271:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2829e:$x2: IClientNetworkHost
7.2.dhcpmon.exe.397e43c.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28271:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2934c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2828b:$s5: IClientLoggingHost
7.2.dhcpmon.exe.397e43c.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wscript.exe.2756c017c00.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf40d:$x1: NanoCore.ClientPluginHost 0xf44a:$x2: IClientNetworkHost 0x431d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wscript.exe.2756c017c00.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf40d:$x2: NanoCore.ClientPluginHost 0x10a46:$s1: PluginCommand 0x10a3a:$s2: FileCommand 0x2c8b:$s3: PipeExists 0x4c52:$s4: PipeCreated 0xf437:$s5: IClientLoggingHost
1.2.wscript.exe.2756c017c00.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wscript.exe.2756c017c00.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf3b9:$a: NanoCore 0xf3cd:$a: NanoCore 0xf40d:$a: NanoCore 0xf3d6:$b: ClientPlugin 0xf416:$b: ClientPlugin 0xf2fb:$c: ProjectData 0xfd02:$d: DESCrypto 0x4c7e:$e: KeepAlive 0x13adc:$g: LogClientMessage 0x2c57:$i: get_Connected 0x263d:$j: #=q 0x266d:$j: #=q 0x2689:$j: #=q 0x26da:$j: #=q 0x26f6:$j: #=q 0x271e:$j: #=q 0x273a:$j: #=q 0x276a:$j: #=q 0x27a4:$j: #=q 0x27db:$j: #=q 0x27f7:$j: #=q
4.2.Notepad.exe.3d699d8.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.Notepad.exe.3d699d8.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.wscript.exe.2756cac70e0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wscript.exe.2756cac70e0.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.wscript.exe.2756cac70e0.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wscript.exe.2756cac70e0.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.3.wscript.exe.2756be19830.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.3.wscript.exe.2756be19830.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.3.wscript.exe.2756be19830.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.3.wscript.exe.2756be19830.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.0.dhcpmon.exe.a0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.0.dhcpmon.exe.a0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.0.dhcpmon.exe.a0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.0.dhcpmon.exe.a0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.3.wscript.exe.2756bde6e20.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42b9d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bda:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4670d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.3.wscript.exe.2756bde6e20.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42915:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42b9d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441d6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441ca:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4507b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae32:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bc7:$s5: IClientLoggingHost
1.3.wscript.exe.2756bde6e20.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.3.wscript.exe.2756bde6e20.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42905:$a: NanoCore 0x42915:$a: NanoCore 0x42b49:$a: NanoCore 0x42b5d:$a: NanoCore 0x42b9d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42964:$b: ClientPlugin 0x42b66:$b: ClientPlugin 0x42ba6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a8b:$c: ProjectData 0x10a82:$d: DESCrypto 0x43492:$d: DESCrypto 0x1844e:$e: KeepAlive
1.3.wscript.exe.2756be19830.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.3.wscript.exe.2756be19830.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.3.wscript.exe.2756be19830.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.3.wscript.exe.2756be19830.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
Click to see the 64 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Chrome.exe, ProcessId: 5276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Networking:

Sigma detected: MSBuild connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 5.149.255.77, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, Initiated: true, ProcessId: 5480, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49829

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Found malware configuration

Show sources

Source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp	Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "de7e01ad-963b-4e14-81aa-08dfb351", "Group": "Do", "Domain1": "sys2021.linkpc.net", "Domain2": "23.94.82.41", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Source: 4.2.Notepad.exe.3d699d8.1.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@quanturnvia.com", "Password": "info", "Host": "mail.quanturnvia.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: 09142021_PDF.vbs

ReversingLabs: Detection: 26%

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Metadefender: Detection: 85%	Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Metadefender: Detection: 85%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	ReversingLabs: Detection: 100%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Source: 5.0.Chrome.exe.1e0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.dhcpmon.exe.a0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 7.0.dhcpmon.exe.a0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:

Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: hmltog.exe, hmltog.exe.10.dr

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 23.94.82.41
Source: Malware configuration extractor	URLs: sys2021.linkpc.net

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

IP Address: 23.94.82.41 23.94.82.41

Source: global traffic	TCP traffic: 192.168.2.6:49743 -> 105.112.53.223:11940
Source: global traffic	TCP traffic: 192.168.2.6:49809 -> 23.94.82.41:11940
Source: global traffic	TCP traffic: 192.168.2.6:49829 -> 5.149.255.77:587

Source: global traffic

TCP traffic: 192.168.2.6:49829 -> 5.149.255.77:587

Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: http://gEwqkY.com
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Notepad.exe, 00000004.00000003.371547514.0000000004E32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comT.TTF
Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comTTFdL
Source: Notepad.exe, 00000004.00000003.409520900.0000000004E10000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitu
Source: Notepad.exe, 00000004.00000003.409520900.0000000004E10000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrsief0
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Notepad.exe, 00000004.00000003.358898696.0000000004E4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com8
Source: Notepad.exe, 00000004.00000003.363785033.0000000004E14000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.363111776.0000000004E21000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cna-d
Source: Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnormT
Source: Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnrru
Source: Notepad.exe, 00000004.00000003.363241096.0000000004E21000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnsof
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/L
Source: Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/R
Source: Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/font0
Source: Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
Source: Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/h
Source: Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s-c
Source: Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ww.m
Source: Notepad.exe, 00000004.00000003.379428172.0000000004E21000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.371741312.0000000004E22000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.358559392.0000000000E9D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Notepad.exe, 00000004.00000003.358559392.0000000000E9D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: Notepad.exe, 00000004.00000003.368283874.0000000004E22000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Notepad.exe, 00000004.00000003.368997086.0000000004E22000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comx
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Notepad.exe, 00000004.00000003.365756821.0000000004E2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comNX
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Notepad.exe, 00000004.00000003.373679648.0000000004E2F000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.370080417.0000000004E2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Notepad.exe, 00000004.00000003.373679648.0000000004E2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.delar
Source: Notepad.exe, 00000004.00000003.370080417.0000000004E2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deoi
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Notepad.exe, 00000004.00000003.364646531.0000000004E1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnse
Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: MSBuild.exe, 0000000A.00000002.869802596.0000000003215000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000003.606851732.0000000000ED4000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000002.870025295.0000000003298000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: https://t9ePmKiGxqnJEdt3liGF.com
Source: Notepad.exe, 00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: sys2021.linkpc.net

Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Source: Notepad.exe, 00000004.00000002.410952982.0000000000B58000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: dhcpmon.exe, 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.2953dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Show sources

Source: Notepad.exe.1.dr, Dbhandler.cs	Long String: Length: 217896
Source: 4.0.Notepad.exe.3b0000.0.unpack, Dbhandler.cs	Long String: Length: 217896
Source: 4.2.Notepad.exe.3b0000.0.unpack, Dbhandler.cs	Long String: Length: 217896

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_026626B0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266AF88
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_026620C0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266E108
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266C180
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266FE48
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266EE38
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_026626A1
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266F870
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_02662400
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_02662408
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_026620B1
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_026639CC
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_026639D0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A06690
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A0A7D0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A03580
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A03AA8
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A0368C
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A002E8
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A002D9
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A03623
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A03659
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A03F89
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A00FCF
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A00FD0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A04F68
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A04F58
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A08CA0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A064A8
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A04CA9
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A054B8
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A00489
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A05491
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A00498
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A04831
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A04018
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A0356F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_000A524A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_02543850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_025423A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_02542FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_0254306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EAF8B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EAB891
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EAA1E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA1792
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA3360
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA5730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA7330
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA2F08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA56D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA33A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_01458110
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0532E738
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_05320D40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0532C9D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0532A010
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_05329058
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_053280D8
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Code function: 18_2_00C46D08
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Code function: 18_2_00C46950
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Code function: 18_2_00C4692F
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Code function: 18_2_02E70708
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Code function: 21_2_05210708

Source: 09142021_PDF.vbs

Initial sample: Strings found which are bigger than 50

Source: hmltog.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hmltog.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hmltog.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.dhcpmon.exe.2953dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.2953dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_065D19AA NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_065D1979 NtQuerySystemInformation,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0115B0BA NtQuerySystemInformation,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0115B089 NtQuerySystemInformation,

Source: Chrome.exe.1.dr	Static PE information: Section: .rsrc ZLIB complexity 0.999732142857
Source: dhcpmon.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 0.999732142857

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Notepad.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winVBS@12/11@10/3

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Chrome.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Chrome.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\09142021_PDF.vbs'

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: MSBuild.exe, 0000000A.00000003.455041958.00000000010A9000.00000004.00000001.sdmp, hmltog.exe, 00000012.00000000.481542835.0000000000C42000.00000002.00020000.sdmp, hmltog.exe, 00000015.00000000.499822928.0000000000A52000.00000002.00020000.sdmp, hmltog.exe.10.dr	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: hmltog.exe, 00000012.00000002.485308423.00000000032E1000.00000004.00000001.sdmp, hmltog.exe, 00000015.00000002.505175873.00000000030D1000.00000004.00000001.sdmp	Binary or memory string: kr/.C:\Users\user\AppData\Roaming\hmltog\*.sln
Source: MSBuild.exe, 0000000A.00000003.455041958.00000000010A9000.00000004.00000001.sdmp, hmltog.exe, 00000012.00000000.481542835.0000000000C42000.00000002.00020000.sdmp, hmltog.exe, 00000015.00000000.499822928.0000000000A52000.00000002.00020000.sdmp, hmltog.exe.10.dr	Binary or memory string: MSBuild MyApp.csproj /t:Clean /p:Configuration=Debug
Source: MSBuild.exe, 0000000A.00000003.455041958.00000000010A9000.00000004.00000001.sdmp, hmltog.exe, 00000012.00000000.481542835.0000000000C42000.00000002.00020000.sdmp, hmltog.exe, 00000015.00000000.499822928.0000000000A52000.00000002.00020000.sdmp, hmltog.exe.10.dr	Binary or memory string: *.sln+AmbiguousProjectError'MissingProjectError)ProjectNotFoundError)InvalidPropertyError
Source: hmltog.exe	Binary or memory string: *.sln

Source: 09142021_PDF.vbs

ReversingLabs: Detection: 26%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\09142021_PDF.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Notepad.exe 'C:\Users\user\AppData\Local\Temp\Notepad.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Chrome.exe 'C:\Users\user\AppData\Local\Temp\Chrome.exe'
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe 'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe'
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe 'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe'
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Notepad.exe 'C:\Users\user\AppData\Local\Temp\Notepad.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Chrome.exe 'C:\Users\user\AppData\Local\Temp\Chrome.exe'
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_065D182E AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_065D17F7 AdjustTokenPrivileges,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0115AF3E AdjustTokenPrivileges,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0115AF07 AdjustTokenPrivileges,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Notepad.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{de7e01ad-963b-4e14-81aa-08dfb351f0fe}
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Mutant created: \Sessions\1\BaseNamedObjects\hhdyEjeEgtQTuxIXRQTj
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01

Source: Chrome.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: Chrome.exe.1.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Chrome.exe.1.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.5.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.5.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: 09142021_PDF.vbs

Static file information: File size 1471650 > 1048576

Source:

Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: hmltog.exe, hmltog.exe.10.dr

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\Notepad.exe");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIJ4QGEAAAAAAAAAAOAAAgELAVAAAMAMAAAIAAAAAAAApt8");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\Notepad.exe", "2");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKEn6VQAAAAAAAAAAOAADgELAQYAAMgBAABgAQAAAAAAkuc");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\Chrome.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\Notepad.exe");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\Chrome.exe")

.NET source code contains potential unpacker

Show sources

Source: Notepad.exe.1.dr, frmSplash.cs	.Net Code: D6549645123 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Chrome.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Chrome.exe.1.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Notepad.exe.3b0000.0.unpack, frmSplash.cs	.Net Code: D6549645123 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Notepad.exe.3b0000.0.unpack, frmSplash.cs	.Net Code: D6549645123 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.5.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.dhcpmon.exe.a0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_003B5E9A push es; iretd
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_003B7D46 push cs; ret
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_02666F5A pushfd ; retf
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_02666FD2 push ds; retf
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266779D push ebx; ret
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A032C2 push es; iretd
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A07706 push es; retf
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A07714 push es; retf
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A00F6A push es; retf
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A031C6 push es; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_05C14334 push cs; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_05C142BF push cs; retf

Source: Chrome.exe.1.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: Chrome.exe.1.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.5.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.5.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.dhcpmon.exe.a0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.dhcpmon.exe.a0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\Notepad.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\Chrome.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run hmltog			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run hmltog			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	File opened: C:\Users\user\AppData\Local\Temp\Chrome.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe:Zone.Identifier read attributes \| delete

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match

File source: Process Memory Space: Notepad.exe PID: 3664, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Notepad.exe, 00000004.00000002.411624887.0000000002B74000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe TID: 5804	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe TID: 6300	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe TID: 6296	Thread sleep time: -40000s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6572	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6868	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6868	Thread sleep count: 1200 > 30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6868	Thread sleep time: -36000000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6868	Thread sleep count: 35 > 30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6868	Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe TID: 6968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe TID: 5748	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Window / User API: threadDelayed 394
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Window / User API: threadDelayed 1370
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Window / User API: foregroundWindowGot 1166
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Window / User API: foregroundWindowGot 447
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: threadDelayed 1200

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Thread delayed: delay time: 922337203685477

Source: Notepad.exe, 00000004.00000002.411103609.0000000000C02000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware Tools
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 09142021_PDF.vbs	Binary or memory string: Dim IBtoeUPykBMFiGDyawAolQRWcqXUsQdFYeVwUHmnAOSjiQudAbpngXTskWLowuGTXGgDlGeSKNnWxioMwuUQbpZBLdMxwxqGIzMcjqstxWdTjwuBizsCZprhgfsIugWNWhOxVMcFBbTFMGSOiKPwFogSIfvExkyQAQxBiwgWWmAyWmUaMdZjRZIhAvpqRYHRcCEwJQflet
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: krA"SOFTWARE\VMware, Inc.\VMware Tools
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Chrome.exe, 00000005.00000003.455107146.0000000000841000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2!
Source: wscript.exe, 00000001.00000003.346093105.000002756A691000.00000004.00000001.sdmp	Binary or memory string: nQwLmzyelpgCwqJhXPErFsNqyAFJxHofpkBqgPShKTeBtAHEsZDBtxVuCGNluphdABNMoTAIwXgmOLwxtAQXEnlsPHnaCgnVlABsnuQZYvEVQjgrKPrtYJZNPVxhfaFQkLANKDKzkqyJiQbfawPmouwbbncRxjuypolEiShGFsIhKQeztRGjKTbqOYmWasCBwATufWxHPJgIA{
Source: Notepad.exe, 00000004.00000002.411103609.0000000000C02000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware13XA57K6Win32_VideoControllerLDM5VS5DVideoController120060621000000.000000-0002029.670display.infMSBDA7YS7HNXAPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsL54N_7SB
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: kr87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
Source: wscript.exe, 00000001.00000003.346046444.000002756B3BE000.00000004.00000001.sdmp	Binary or memory string: IBtoeUPykBMFiGDyawAolQRWcqXUsQdFYeVwUHmnAOSjiQudAbpngXTskWLowuGTXGgDlGeSKNnWxioMwuUQbpZBLdMxwxqGIzMcjqstxWdTjwuBizsCZprhgfsIugWNWhOxVMcFBbTFMGSOiKPwFogSIfvExkyQAQxBiwgWWmAyWmUaMdZjRZIhAvpqRYHRcCEwJQflet@
Source: Notepad.exe, 00000004.00000002.411624887.0000000002B74000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 09142021_PDF.vbs	Binary or memory string: Dim nQwLmzyelpgCwqJhXPErFsNqyAFJxHofpkBqgPShKTeBtAHEsZDBtxVuCGNluphdABNMoTAIwXgmOLwxtAQXEnlsPHnaCgnVlABsnuQZYvEVQjgrKPrtYJZNPVxhfaFQkLANKDKzkqyJiQbfawPmouwbbncRxjuypolEiShGFsIhKQeztRGjKTbqOYmWasCBwATufWxHPJg
Source: Notepad.exe, 00000004.00000002.411624887.0000000002B74000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: kr&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware ToolsH
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Code function: 10_2_00EA0C20 LdrInitializeThunk,

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: Notepad.exe.1.dr

Jump to dropped file

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5A

Injects files into Windows application

Show sources

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Injected file: C:\Users\user\AppData\Local\Temp\Notepad.exe was created by C:\Windows\System32\wscript.exe
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Injected file: C:\Users\user\AppData\Local\Temp\Notepad.exe was created by C:\Windows\System32\wscript.exe
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Injected file: C:\Users\user\AppData\Local\Temp\Notepad.exe was created by C:\Windows\System32\wscript.exe

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 438000
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 43A000
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: D02008

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Notepad.exe 'C:\Users\user\AppData\Local\Temp\Notepad.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Chrome.exe 'C:\Users\user\AppData\Local\Temp\Chrome.exe'
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}

Source: Chrome.exe, 00000005.00000003.488720785.000000000085A000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 0000000A.00000002.869546151.0000000001900000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 0000000A.00000002.869546151.0000000001900000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Chrome.exe, 00000005.00000003.697902390.0000000000841000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 0000000A.00000002.869546151.0000000001900000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: Chrome.exe, 00000005.00000003.427566687.0000000000839000.00000004.00000001.sdmp	Binary or memory string: Program ManagerX
Source: MSBuild.exe, 0000000A.00000002.869546151.0000000001900000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.user\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.user.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.user\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.user.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.user\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.user.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.user\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.user.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

Code function: 4_2_065D1212 GetUserNameA,

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Notepad.exe.3d699d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Notepad.exe.3d699d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Notepad.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5480, type: MEMORYSTR

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Source: Yara match	File source: 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5480, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Notepad.exe.3d699d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Notepad.exe.3d699d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Notepad.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5480, type: MEMORYSTR

Detected Nanocore Rat

Show sources

Source: wscript.exe, 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Chrome.exe, 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Chrome.exe.1.dr	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation311	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Disable or Modify Tools1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting121	Boot or Logon Initialization Scripts	Process Injection312	Deobfuscate/Decode Files or Information1	Input Capture121	File and Directory Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Scripting121	Credentials in Registry1	System Information Discovery114	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution1	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Query Registry1	Distributed Component Object Model	Input Capture121	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing12	LSA Secrets	Security Software Discovery421	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol111	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading2	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion241	DCSync	Virtualization/Sandbox Evasion241	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection312	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
09142021_PDF.vbs	27%	ReversingLabs	Script-WScript.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Chrome.exe	100%	Avira	TR/Dropper.MSIL.Gen7
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Avira	TR/Dropper.MSIL.Gen7
C:\Users\user\AppData\Local\Temp\Chrome.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Notepad.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	86%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
C:\Users\user\AppData\Local\Temp\Chrome.exe	86%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Chrome.exe	100%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.Chrome.exe.1e0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.2.dhcpmon.exe.a0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
10.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
7.0.dhcpmon.exe.a0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/font0	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.comNX	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cna-d	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sakkal.comx	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/9	0%	Avira URL Cloud	safe
http://www.fontbureau.comT.TTF	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.urwpp.deoi	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/h	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ww.m	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.delar	0%	Avira URL Cloud	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://gEwqkY.com	0%	Avira URL Cloud	safe
23.94.82.41	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.zhongyicts.com.cnse	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/R	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/L	0%	URL Reputation	safe
http://www.founder.com.cn/cnrru	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.comrsief0	0%	Avira URL Cloud	safe
http://www.fontbureau.comTTFdL	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cnormT	0%	Avira URL Cloud	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
https://t9ePmKiGxqnJEdt3liGF.com	0%	Avira URL Cloud	safe
http://www.fontbureau.comitu	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s-c	0%	Avira URL Cloud	safe
http://www.fonts.com8	0%	URL Reputation	safe
http://www.founder.com.cn/cnsof	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.quanturnvia.com	5.149.255.77	true	true		unknown
sys2021.linkpc.net	105.112.53.223	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
23.94.82.41	true	Avira URL Cloud: safe	unknown
sys2021.linkpc.net	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/font0	Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comNX	Notepad.exe, 00000004.00000003.365756821.0000000004E2B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cna-d	Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.comx	Notepad.exe, 00000004.00000003.368997086.0000000004E22000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/9	Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comT.TTF	Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.358559392.0000000000E9D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deoi	Notepad.exe, 00000004.00000003.370080417.0000000004E2F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/h	Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ww.m	Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	URL Reputation: safe	low
http://www.fonts.com	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.delar	Notepad.exe, 00000004.00000003.373679648.0000000004E2F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de	Notepad.exe, 00000004.00000003.373679648.0000000004E2F000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.370080417.0000000004E2F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.come	Notepad.exe, 00000004.00000003.358559392.0000000000E9D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Notepad.exe, 00000004.00000003.368283874.0000000004E22000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%	MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Notepad.exe, 00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
http://gEwqkY.com	MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cnse	Notepad.exe, 00000004.00000003.364646531.0000000004E1E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/R	Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/L	Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnrru	Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	Notepad.exe, 00000004.00000003.409520900.0000000004E10000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comrsief0	Notepad.exe, 00000004.00000003.409520900.0000000004E10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comTTFdL	Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	Notepad.exe, 00000004.00000003.363785033.0000000004E14000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.363111776.0000000004E21000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnormT	Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.	Notepad.exe, 00000004.00000003.379428172.0000000004E21000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.371741312.0000000004E22000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t9ePmKiGxqnJEdt3liGF.com	MSBuild.exe, 0000000A.00000002.869802596.0000000003215000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000003.606851732.0000000000ED4000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000002.870025295.0000000003298000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comitu	Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comals	Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/s-c	Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	Notepad.exe, 00000004.00000003.371547514.0000000004E32000.00000004.00000001.sdmp	false		high
http://www.fonts.com8	Notepad.exe, 00000004.00000003.358898696.0000000004E4D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnsof	Notepad.exe, 00000004.00000003.363241096.0000000004E21000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
23.94.82.41	unknown	United States	36352	AS-COLOCROSSINGUS	true
5.149.255.77	mail.quanturnvia.com	United Kingdom	59711	HZ-NL-ASGB	true
105.112.53.223	sys2021.linkpc.net	Nigeria	36873	VNL1-ASNG	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483646
Start date:	15.09.2021
Start time:	10:49:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 18s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	09142021_PDF.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winVBS@12/11@10/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.3% (good quality ratio 0.8%) Quality average: 6.5% Quality standard deviation: 15.1%
HCA Information:	Successful, ratio: 94% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs Override analysis time to 240s for JS/VBS files not yet terminated
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 20.82.209.183, 209.197.3.8, 20.54.110.249, 40.112.88.60, 23.216.77.209, 23.216.77.208, 23.35.236.56, 20.50.102.62 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:50:16	API Interceptor	1935x Sleep call for process: Chrome.exe modified
10:50:20	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
10:50:35	API Interceptor	1x Sleep call for process: Notepad.exe modified
10:50:51	API Interceptor	1718x Sleep call for process: MSBuild.exe modified
10:51:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run hmltog C:\Users\user\AppData\Roaming\hmltog\hmltog.exe
10:51:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run hmltog C:\Users\user\AppData\Roaming\hmltog\hmltog.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
23.94.82.41	09112021_pdf.vbs	Get hash	malicious	Browse
	02_extracted.exe	Get hash	malicious	Browse
	09062021_PDF.vbs	Get hash	malicious	Browse
	09052021_PDF.vbs	Get hash	malicious	Browse
	09042021_PDF.vbs	Get hash	malicious	Browse
	PRODUCT INVOICESPDF.exe	Get hash	malicious	Browse
	11_extracted.exe	Get hash	malicious	Browse
	Payment Order_PDF.vbs	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
sys2021.linkpc.net	09112021_pdf.vbs	Get hash	malicious	Browse	105.112.45.229
	02_extracted.exe	Get hash	malicious	Browse	192.227.128.168
	01_extracted.exe	Get hash	malicious	Browse	192.227.128.168
	P4ImU1Vrfj.exe	Get hash	malicious	Browse	192.227.128.168
	09062021_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	09052021_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	09042021_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	8202021_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	8192021_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	PRODUCT INVOICESPDF.exe	Get hash	malicious	Browse	192.227.128.168
	02_extracted.exe	Get hash	malicious	Browse	192.227.128.168
	PRODUCT INVOICES_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	Invoice NeededPDF.exe	Get hash	malicious	Browse	192.227.128.168
	Inv-04_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	Ee50nK4E89.exe	Get hash	malicious	Browse	192.227.128.168
	11_extracted.exe	Get hash	malicious	Browse	197.210.29.244
	01_extracted.exe	Get hash	malicious	Browse	197.210.29.244
	Payment Order for #0025_PDF.vbs	Get hash	malicious	Browse	197.210.29.244
	Payment Order_PDF.vbs	Get hash	malicious	Browse	23.94.82.41
mail.quanturnvia.com	09112021_pdf.vbs	Get hash	malicious	Browse	5.149.255.77

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	Swift Mt103.xlsx	Get hash	malicious	Browse	23.95.13.175
	vkb.xlsx	Get hash	malicious	Browse	192.3.13.11
	Transfer Swift.xlsx	Get hash	malicious	Browse	172.245.26.190
	ORDER 5172020.xlsx	Get hash	malicious	Browse	198.12.84.109
	REF_MIDLGB34.xlsx	Get hash	malicious	Browse	23.94.159.208
	proforma invoice.xlsx	Get hash	malicious	Browse	192.3.141.149
	Swift_Mt103.xlsx	Get hash	malicious	Browse	23.95.13.175
	PO-80722 .xlsx	Get hash	malicious	Browse	198.12.84.109
	MT103-Swift Copy.xlsx	Get hash	malicious	Browse	198.46.199.203
	Items_quote.xlsx	Get hash	malicious	Browse	172.245.26.145
	Usd_transfer.xlsx	Get hash	malicious	Browse	172.245.26.145
	REF_MIDLGB34.xlsx	Get hash	malicious	Browse	23.94.159.208
	ORDER RFQ1009202.xlsx	Get hash	malicious	Browse	23.95.85.181
	msn.xlsx	Get hash	malicious	Browse	198.12.127.217
	swift.xlsx	Get hash	malicious	Browse	198.46.199.171
	Additional Order Qty 197.xlsx	Get hash	malicious	Browse	198.12.107.117
	DHL Cargo Arrival.xlsx	Get hash	malicious	Browse	172.245.26.190
	Po2142021.xlsx	Get hash	malicious	Browse	198.12.107.117
	UPDATED SOA - JUNE & JUULY & AUGUST.xlsx	Get hash	malicious	Browse	192.3.146.254
	USD INV#1191189.xlsx	Get hash	malicious	Browse	192.3.146.254

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\Chrome.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	7.447937910582972
Encrypted:	false
SSDEEP:	6144:wLV6Bta6dtJmakIM5pFmHi8ieZv00yRQ+E2c8:wLV6BtpmkGFmC83KWH2c8
MD5:	A9C24A18FBD231939EB608A7A2087A49
SHA1:	1FF543A9B901E0064DC51643445AB4D06BD3815E
SHA-256:	8825944DDA4E2F28B26B51D7F4F9869EE5FA0553432414C4A9DF266FCB81C3B4
SHA-512:	2D88103A0AE1B614F76BC43BE8E5B9DE5F3DAA5C56454E7F6F28D581593803AD6D5605ECAE7671CEC57B39DBDB0A15BB802E6763689B4E02E83F76F55CCED1B7
Malicious:	true
Yara Hits:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 86%, Browse Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5........o6....-.&......3+..+.... ....3......1..... 2.... ....3.... ............0..E.......s7....-(&s8....-&&s9....,$&s:........s;.............+.....+.....+.....0..........~....o<.....0..........~....o=.....0..........~....o>.....0..........~....o?.....0..........~....o@.....0.............-.&(A...&+...0..$.......~B........-.(...+.-.&+..B...+.~B....0.............-.&(A...&+...0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Notepad.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\Notepad.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	794
Entropy (8bit):	5.275237952673745
Encrypted:	false
SSDEEP:	24:MLF20NaL3z2p29hJ5g522rW2xAi3AP29XBT:MwLLD2Y9h3go2rxxAcAO9XBT
MD5:	DA438C60C1B51D4F4CC7570ED3423896
SHA1:	6A381EA43A25330861EBDD9035C396FCAF1F8B3F
SHA-256:	067E533EFB173D68852FBAFED12FBE975141C44FB7E7CEDEE754BBC8A81CCCF7
SHA-512:	6727E148508CD60C5DC0F9E515B56C8522B7FEEAE18B4AEC990612ED65FAB488FFF8BAA71CE6E7A073F30466F0E8D62B6B307A131F85F29B9434E0A4CBE70FA7
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hmltog.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\hmltog\hmltog.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	325
Entropy (8bit):	5.334380084018418
Encrypted:	false
SSDEEP:	6:Q3LadLCR22IAQykdL1tZbLsbFLIP12MUAvvro6ysGMFLIP12MUAvvrs:Q3LaJU20NaL1tZbgbe4MqJsGMe4M6
MD5:	65CE98936A67552310EFE2F0FF5BDF88
SHA1:	8133653A6B9A169C7496ADE315CED322CFC3613A
SHA-256:	682F7C55B1B6E189D17755F74959CD08762F91373203B3B982ACFFCADE2E871A
SHA-512:	2D00AC024267EC384720A400F6D0B4F7EDDF49FAF8AB3C9E6CBFBBAE90ECADACA9022B33E3E8EC92E4F57C7FC830299C8643235EB4AA7D8A6AFE9DD1775F57C3
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..2,"Microsoft.Build.user, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\Chrome.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	7.447937910582972
Encrypted:	false
SSDEEP:	6144:wLV6Bta6dtJmakIM5pFmHi8ieZv00yRQ+E2c8:wLV6BtpmkGFmC83KWH2c8
MD5:	A9C24A18FBD231939EB608A7A2087A49
SHA1:	1FF543A9B901E0064DC51643445AB4D06BD3815E
SHA-256:	8825944DDA4E2F28B26B51D7F4F9869EE5FA0553432414C4A9DF266FCB81C3B4
SHA-512:	2D88103A0AE1B614F76BC43BE8E5B9DE5F3DAA5C56454E7F6F28D581593803AD6D5605ECAE7671CEC57B39DBDB0A15BB802E6763689B4E02E83F76F55CCED1B7
Malicious:	true
Yara Hits:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 86%, Browse Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5........o6....-.&......3+..+.... ....3......1..... 2.... ....3.... ............0..E.......s7....-(&s8....-&&s9....,$&s:........s;.............+.....+.....+.....0..........~....o<.....0..........~....o=.....0..........~....o>.....0..........~....o?.....0..........~....o@.....0.............-.&(A...&+...0..$.......~B........-.(...+.-.&+..B...+.~B....0.............-.&(A...&+...0..

C:\Users\user\AppData\Local\Temp\Notepad.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	838144
Entropy (8bit):	6.081092945132605
Encrypted:	false
SSDEEP:	12288:l83ory3veUbILoxew9VhmJmpeSoAfTU6tWq:lDIee8+mGoAfTU6Eq
MD5:	033B15C82C1F08143DA87E0F4D1AD9BC
SHA1:	8E0436CA6C3A04EF9158779A167558136D160578
SHA-256:	95BF92B7472F7475789FB6838C8C3EED943C69EFE8B3E2A9DF4714D189FB59CB
SHA-512:	979D35460519C2F3E4363E25608D44D195AE9BE07902F69529D99A18833DACA0BE6BEB6E32B8BCAFB3A2E7578E2B38A9E8B8856041E6288EE78342556C47D045
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....x@a..............P.................. ........@.. ....................... ............@.................................T...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........\...............d...z...........................................0............(....(..........(.....o..........................(.......( ......(!......("......(#....N..(....o....($....&..(%.....s&........s'........s(........s)........s............0...........~....o+....+...0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0..<........~.....(0.....,!r...p.....(1...o2...s3............~.....+...0......

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\Chrome.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:SG+t:SG+t
MD5:	C4EAAD30813C874DC8DA4CAA8F2D054C
SHA1:	C011FAE0CF642FB0381E6C0206D22E2CD923A816
SHA-256:	EAB05C007E1FAEDE7355F0FC43BC76095A26C12396F5BAAB48DC1813C05003D6
SHA-512:	6C8325CB7CC3986844A6C1FDCBD44774D2873DBFA331439F39C22D21D1448969258560349A61D0BB1EB38D11B85C7F194DBA61AC4C3B94F60AE073D86E9D11A8
Malicious:	true
Reputation:	unknown
Preview:	Y..Fqx.H

C:\Users\user\AppData\Roaming\hmltog\hmltog.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.20894581699571
Encrypted:	false
SSDEEP:	768:NElGiBcBuiyFjUwF0wdP9/rJMDnRFRJfStGpwV3e3qtAcy:ilGBu7jjP9/tMDn9Jt+VO3GO
MD5:	88BBB7610152B48C2B3879473B17857E
SHA1:	0F6CF8DD66AA58CE31DA4E8AC0631600EF055636
SHA-256:	2C7ACC16D19D076D67E9F1F37984935899B79536C9AC6EEC8850C44D20F87616
SHA-512:	5BACDF6C190A76C2C6A9A3519936E08E898AC8A2B1384D60429DF850BE778860435BF9E5EB316517D2345A5AAE201F369863F7A242134253978BCB5B2179CA58
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.....................@........... ........@.. .......................@......99....@.....................................S.......`/................... ....................................................... ............... ..H............text....... ...................... ..`.rsrc...`/.......0..................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\tfeoxaxs.grf\Chrome\Default\Cookies Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Users\user\AppData\Roaming\hmltog\hmltog.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	306
Entropy (8bit):	4.969261552825097
Encrypted:	false
SSDEEP:	6:zx3M1tlAX8bSWR30qysGMQbSVRRZBXVRbJ0fFdCsq2UTiMdH8stCal+n:zK1XnV30ZsGMIG9BFRbQdCT2UftCM+
MD5:	F227448515085A647910907084E6728E
SHA1:	5FA1A8E28B084DA25A1BBC51A2D75810CEF57E2C
SHA-256:	662BA47D628FE8EBE95DD47B4482110A10B49AED09387BC0E028BB66E68E20BD
SHA-512:	6F6E5DFFF7B17C304FB19B0BA5466AF84EF98A5C2EFA573AF72CFD3ED6964E9FD7F8E4B79FCFFBEF87CE545418C69D4984F4DD60BBF457D0A3640950F8FC5AF0
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) Build user Version 2.0.50727.8922..[Microsoft .NET Framework, Version 2.0.50727.8922]..Copyright (C) Microsoft Corporation 2005. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	5.3236705425594835
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	09142021_PDF.vbs
File size:	1471650
MD5:	4a638d451c40bc23491a0c79b6561d29
SHA1:	5caa98e6150e72cff32549541ab937cc952b769c
SHA256:	62e85b9481efe0bb5921277ce40acb236dba44be1bbe8bab2be8068eef10c341
SHA512:	410334862dfa2d11e847969405545142ccd3d1654add3b11f5c23cbcb5112ae801a1aefc25bee8d851d044ffd3e8e99cfd0c8a7fc05fc21ee948c0f83ac600ac
SSDEEP:	12288:0UL1Nfz4Y0BgIVv1Mt/MMNLDT/DrEiv9ByYU2jB0liBsrvr21H6wonm7c4W1VVhj:zv8Dv1MuMp/JBH+l8srvria57rV0FwP7
File Content Preview:	on error resume next..Dim SNgEqCPQQbWMHuXZTLRZLRJqDDkJhViPxZWqJgtrDhThqknktVsdPIFBDqBnSFjvtGPhXgQmRaVdxbzTPAPMcFApTVmSfFZyyYojVGMMFGLomcEbqiYRpXSnGZOCuxGMBXfYnPxJoCGWuLCrRLbxhHIaFAcvrJSHAznPwfobkOdmQwtvXWkjWIetOESmmCRekzWvXnvlXANS..'dVKJGhXUYjlrUtArNBoixz

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 10:50:19.306777000 CEST	49743	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:50:22.316092968 CEST	49743	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:50:28.316631079 CEST	49743	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:50:41.293034077 CEST	49746	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:50:44.302396059 CEST	49746	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:50:50.342758894 CEST	49746	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:51:01.553158045 CEST	49749	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:51:04.554112911 CEST	49749	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:51:10.554585934 CEST	49749	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:51:21.782233000 CEST	49809	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:51:24.790155888 CEST	49809	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:51:30.791054010 CEST	49809	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:51:40.443243027 CEST	49822	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:51:43.448211908 CEST	49822	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:51:49.457070112 CEST	49822	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:52:00.962013006 CEST	49827	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:52:03.971230030 CEST	49827	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:52:09.987334967 CEST	49827	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:52:19.833290100 CEST	49828	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:21.162101984 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.189008951 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.189109087 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.256990910 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.257353067 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.286353111 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.286890030 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.314744949 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.315071106 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.343508005 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.343986034 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.370634079 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.370991945 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.397991896 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.401993036 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.428607941 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.428678989 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.431670904 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.431940079 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.432214975 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.432436943 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.432615995 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.432784081 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.432975054 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.458610058 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.458931923 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.459191084 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.465493917 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.519562006 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.376977921 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.403907061 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.404352903 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.469660044 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.469952106 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.498035908 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.498641014 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.526045084 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.526700974 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.554003000 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.554395914 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.581418037 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.581680059 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.609419107 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.609725952 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.636522055 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.636557102 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.636987925 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.637131929 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.637283087 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.637492895 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.637604952 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.637737036 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.637830019 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.638125896 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.638169050 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.638268948 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.663836956 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.664103031 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.664314032 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.664923906 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.683985949 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.739510059 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.847888947 CEST	49828	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:28.864120960 CEST	49828	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:37.386285067 CEST	49831	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:40.396414042 CEST	49831	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:46.412393093 CEST	49831	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:54.468350887 CEST	49832	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:57.475806952 CEST	49832	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:53:03.491971016 CEST	49832	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:53:11.777662992 CEST	49833	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:14.789907932 CEST	49833	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:20.790340900 CEST	49833	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:28.959137917 CEST	49834	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:31.948081017 CEST	49834	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:37.963964939 CEST	49834	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:46.091742992 CEST	49835	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:49.089564085 CEST	49835	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:55.090881109 CEST	49835	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:54:04.782836914 CEST	49836	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:54:07.778820038 CEST	49836	11940	192.168.2.6	105.112.53.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 10:50:04.125307083 CEST	60342	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:50:04.160633087 CEST	53	60342	8.8.8.8	192.168.2.6
Sep 15, 2021 10:50:19.138469934 CEST	61346	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:50:19.287982941 CEST	53	61346	8.8.8.8	192.168.2.6
Sep 15, 2021 10:50:36.899993896 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:50:36.932965994 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 15, 2021 10:50:41.153657913 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:50:41.291009903 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 15, 2021 10:50:55.433137894 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:50:55.457901955 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:01.171010017 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:01.201704979 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:01.399852991 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:01.550944090 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:01.708643913 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:01.761490107 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:02.036664963 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:02.081840992 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:02.616884947 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:02.647747040 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:02.981756926 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:03.047548056 CEST	53	52811	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:05.194477081 CEST	55299	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:05.251976013 CEST	53	55299	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:05.781666994 CEST	63745	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:05.808219910 CEST	53	63745	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:06.416080952 CEST	50055	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:06.446599007 CEST	53	50055	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:07.227823973 CEST	61374	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:07.283915997 CEST	53	61374	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:08.054306030 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:08.083729982 CEST	53	50339	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:08.551827908 CEST	63307	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:08.576860905 CEST	53	63307	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:13.072951078 CEST	49694	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:13.102680922 CEST	53	49694	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:32.466561079 CEST	54982	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:32.496287107 CEST	53	54982	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:51.152565956 CEST	50010	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:51.197371006 CEST	53	50010	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:53.104293108 CEST	63718	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:53.147177935 CEST	53	63718	8.8.8.8	192.168.2.6
Sep 15, 2021 10:52:19.785521984 CEST	62116	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:52:19.815593004 CEST	53	62116	8.8.8.8	192.168.2.6
Sep 15, 2021 10:52:21.006614923 CEST	63816	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:52:21.049338102 CEST	53	63816	8.8.8.8	192.168.2.6
Sep 15, 2021 10:52:22.325558901 CEST	55014	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:52:22.374388933 CEST	53	55014	8.8.8.8	192.168.2.6
Sep 15, 2021 10:52:37.239762068 CEST	62208	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:52:37.384242058 CEST	53	62208	8.8.8.8	192.168.2.6
Sep 15, 2021 10:52:54.328156948 CEST	57574	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:52:54.457591057 CEST	53	57574	8.8.8.8	192.168.2.6
Sep 15, 2021 10:54:04.651829958 CEST	51818	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:54:04.781595945 CEST	53	51818	8.8.8.8	192.168.2.6
Sep 15, 2021 10:54:21.328382015 CEST	56628	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:54:21.357949972 CEST	53	56628	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 15, 2021 10:50:19.138469934 CEST	192.168.2.6	8.8.8.8	0xbe37	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:50:41.153657913 CEST	192.168.2.6	8.8.8.8	0x89ea	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:51:01.399852991 CEST	192.168.2.6	8.8.8.8	0xb4d8	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:19.785521984 CEST	192.168.2.6	8.8.8.8	0x4f09	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:21.006614923 CEST	192.168.2.6	8.8.8.8	0x1099	Standard query (0)	mail.quanturnvia.com	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:22.325558901 CEST	192.168.2.6	8.8.8.8	0xb403	Standard query (0)	mail.quanturnvia.com	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:37.239762068 CEST	192.168.2.6	8.8.8.8	0x8e11	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:54.328156948 CEST	192.168.2.6	8.8.8.8	0x3f29	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:54:04.651829958 CEST	192.168.2.6	8.8.8.8	0x5bd1	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:54:21.328382015 CEST	192.168.2.6	8.8.8.8	0x31f5	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 15, 2021 10:50:19.287982941 CEST	8.8.8.8	192.168.2.6	0xbe37	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:50:41.291009903 CEST	8.8.8.8	192.168.2.6	0x89ea	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:51:01.550944090 CEST	8.8.8.8	192.168.2.6	0xb4d8	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:19.815593004 CEST	8.8.8.8	192.168.2.6	0x4f09	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:21.049338102 CEST	8.8.8.8	192.168.2.6	0x1099	No error (0)	mail.quanturnvia.com	5.149.255.77	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:22.374388933 CEST	8.8.8.8	192.168.2.6	0xb403	No error (0)	mail.quanturnvia.com	5.149.255.77	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:37.384242058 CEST	8.8.8.8	192.168.2.6	0x8e11	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:54.457591057 CEST	8.8.8.8	192.168.2.6	0x3f29	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:54:04.781595945 CEST	8.8.8.8	192.168.2.6	0x5bd1	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:54:21.357949972 CEST	8.8.8.8	192.168.2.6	0x31f5	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 15, 2021 10:52:21.256990910 CEST	587	49829	5.149.255.77	192.168.2.6	220 mail.quanturnvia.com ESMTP Exim 4.92.3 Wed, 15 Sep 2021 08:52:21 +0000
Sep 15, 2021 10:52:21.257353067 CEST	49829	587	192.168.2.6	5.149.255.77	EHLO 760639
Sep 15, 2021 10:52:21.286353111 CEST	587	49829	5.149.255.77	192.168.2.6	250-mail.quanturnvia.com Hello 760639 [84.17.52.51] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Sep 15, 2021 10:52:21.286890030 CEST	49829	587	192.168.2.6	5.149.255.77	AUTH login aW5mb0BxdWFudHVybnZpYS5jb20=
Sep 15, 2021 10:52:21.314744949 CEST	587	49829	5.149.255.77	192.168.2.6	334 UGFzc3dvcmQ6
Sep 15, 2021 10:52:21.343508005 CEST	587	49829	5.149.255.77	192.168.2.6	235 Authentication succeeded
Sep 15, 2021 10:52:21.343986034 CEST	49829	587	192.168.2.6	5.149.255.77	MAIL FROM:<info@quanturnvia.com>
Sep 15, 2021 10:52:21.370634079 CEST	587	49829	5.149.255.77	192.168.2.6	250 OK
Sep 15, 2021 10:52:21.370991945 CEST	49829	587	192.168.2.6	5.149.255.77	RCPT TO:<info@quanturnvia.com>
Sep 15, 2021 10:52:21.397991896 CEST	587	49829	5.149.255.77	192.168.2.6	250 Accepted
Sep 15, 2021 10:52:21.401993036 CEST	49829	587	192.168.2.6	5.149.255.77	DATA
Sep 15, 2021 10:52:21.428678989 CEST	587	49829	5.149.255.77	192.168.2.6	354 Enter message, ending with "." on a line by itself
Sep 15, 2021 10:52:21.432975054 CEST	49829	587	192.168.2.6	5.149.255.77	.
Sep 15, 2021 10:52:21.465493917 CEST	587	49829	5.149.255.77	192.168.2.6	250 OK id=1mQQeT-0002Hl-DE
Sep 15, 2021 10:52:22.469660044 CEST	587	49830	5.149.255.77	192.168.2.6	220 mail.quanturnvia.com ESMTP Exim 4.92.3 Wed, 15 Sep 2021 08:52:22 +0000
Sep 15, 2021 10:52:22.469952106 CEST	49830	587	192.168.2.6	5.149.255.77	EHLO 760639
Sep 15, 2021 10:52:22.498035908 CEST	587	49830	5.149.255.77	192.168.2.6	250-mail.quanturnvia.com Hello 760639 [84.17.52.51] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Sep 15, 2021 10:52:22.498641014 CEST	49830	587	192.168.2.6	5.149.255.77	AUTH login aW5mb0BxdWFudHVybnZpYS5jb20=
Sep 15, 2021 10:52:22.526045084 CEST	587	49830	5.149.255.77	192.168.2.6	334 UGFzc3dvcmQ6
Sep 15, 2021 10:52:22.554003000 CEST	587	49830	5.149.255.77	192.168.2.6	235 Authentication succeeded
Sep 15, 2021 10:52:22.554395914 CEST	49830	587	192.168.2.6	5.149.255.77	MAIL FROM:<info@quanturnvia.com>
Sep 15, 2021 10:52:22.581418037 CEST	587	49830	5.149.255.77	192.168.2.6	250 OK
Sep 15, 2021 10:52:22.581680059 CEST	49830	587	192.168.2.6	5.149.255.77	RCPT TO:<info@quanturnvia.com>
Sep 15, 2021 10:52:22.609419107 CEST	587	49830	5.149.255.77	192.168.2.6	250 Accepted
Sep 15, 2021 10:52:22.609725952 CEST	49830	587	192.168.2.6	5.149.255.77	DATA
Sep 15, 2021 10:52:22.636557102 CEST	587	49830	5.149.255.77	192.168.2.6	354 Enter message, ending with "." on a line by itself
Sep 15, 2021 10:52:22.638268948 CEST	49830	587	192.168.2.6	5.149.255.77	.
Sep 15, 2021 10:52:22.683985949 CEST	587	49830	5.149.255.77	192.168.2.6	250 OK id=1mQQeU-0002Hq-Jw

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 7012 Parent PID: 3440

General

Start time:	10:50:08
Start date:	15/09/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\09142021_PDF.vbs'
Imagebase:	0x7ff7cfa80000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	high

Analysis Process: Notepad.exe PID: 3664 Parent PID: 7012

General

Start time:	10:50:14
Start date:	15/09/2021
Path:	C:\Users\user\AppData\Local\Temp\Notepad.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\Notepad.exe'
Imagebase:	0x3b0000
File size:	838144 bytes
MD5 hash:	033B15C82C1F08143DA87E0F4D1AD9BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: Chrome.exe PID: 5276 Parent PID: 7012

General

Start time:	10:50:14
Start date:	15/09/2021
Path:	C:\Users\user\AppData\Local\Temp\Chrome.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\Chrome.exe'
Imagebase:	0x1e0000
File size:	207360 bytes
MD5 hash:	A9C24A18FBD231939EB608A7A2087A49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 86%, Metadefender, Browse Detection: 100%, ReversingLabs
Reputation:	low

Analysis Process: dhcpmon.exe PID: 6560 Parent PID: 3440

General

Start time:	10:50:28
Start date:	15/09/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xa0000
File size:	207360 bytes
MD5 hash:	A9C24A18FBD231939EB608A7A2087A49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 86%, Metadefender, Browse Detection: 100%, ReversingLabs
Reputation:	low

Analysis Process: MSBuild.exe PID: 5480 Parent PID: 3664

General

Start time:	10:50:38
Start date:	15/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xa30000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: hmltog.exe PID: 4328 Parent PID: 3440

General

Start time:	10:51:12
Start date:	15/09/2021
Path:	C:\Users\user\AppData\Roaming\hmltog\hmltog.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe'
Imagebase:	0xc40000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: conhost.exe PID: 6140 Parent PID: 4328

General

Start time:	10:51:13
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: hmltog.exe PID: 3728 Parent PID: 3440

General

Start time:	10:51:20
Start date:	15/09/2021
Path:	C:\Users\user\AppData\Roaming\hmltog\hmltog.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe'
Imagebase:	0xa50000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: conhost.exe PID: 2088 Parent PID: 3728

General

Start time:	10:51:22
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 09142021_PDF.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Threatname: Agenttesla

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

Networking:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre