Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report KRSEL0000056286.JPG.scr

Overview

General Information

Sample Name:KRSEL0000056286.JPG.scr (renamed file extension from scr to exe)
Analysis ID:501775
MD5:d6f040b4d7d217b8525dff843feba635
SHA1:8ed8beaceddf8e8e9ba4b601d1e985e5c7c2d7d9
SHA256:940ad66c876976f4a05f12710687f5abb76443f693dd3986d1ff7a4c73fc866f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Connects to many ports of the same IP (likely port scanning)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to execute programs as a different user
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • KRSEL0000056286.JPG.exe (PID: 6976 cmdline: 'C:\Users\user\Desktop\KRSEL0000056286.JPG.exe' MD5: D6F040B4D7D217B8525DFF843FEBA635)
    • upstsdssm.pif (PID: 6032 cmdline: 'C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif' sqbr.wlw MD5: 8E699954F6B5D64683412CC560938507)
      • RegSvcs.exe (PID: 6404 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • schtasks.exe (PID: 5036 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2BE4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5312 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2F02.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 5484 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 1372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5108 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • upstsdssm.pif (PID: 3296 cmdline: 'C:\Users\user\AppData\Local\Temp\33911166\UPSTSD~1.PIF' C:\Users\user\AppData\Local\Temp\33911166\sqbr.wlw MD5: 8E699954F6B5D64683412CC560938507)
    • RegSvcs.exe (PID: 7128 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 6200 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\33911166\Update.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • dhcpmon.exe (PID: 6440 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 2600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ba2baad0-dd3f-4844-a1e3-4d042f9a", "Group": "HOBBIT", "Domain1": "strongodss.ddns.net", "Domain2": "185.19.85.175", "Port": 48562, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf9dd:$x1: NanoCore.ClientPluginHost
  • 0xfa1a:$x2: IClientNetworkHost
  • 0x1354d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xf745:$a: NanoCore
    • 0xf755:$a: NanoCore
    • 0xf989:$a: NanoCore
    • 0xf99d:$a: NanoCore
    • 0xf9dd:$a: NanoCore
    • 0xf7a4:$b: ClientPlugin
    • 0xf9a6:$b: ClientPlugin
    • 0xf9e6:$b: ClientPlugin
    • 0xf8cb:$c: ProjectData
    • 0x102d2:$d: DESCrypto
    • 0x17c9e:$e: KeepAlive
    • 0x15c8c:$g: LogClientMessage
    • 0x11e87:$i: get_Connected
    • 0x10608:$j: #=q
    • 0x10638:$j: #=q
    • 0x10654:$j: #=q
    • 0x10684:$j: #=q
    • 0x106a0:$j: #=q
    • 0x106bc:$j: #=q
    • 0x106ec:$j: #=q
    • 0x10708:$j: #=q
    00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf9fd:$x1: NanoCore.ClientPluginHost
    • 0x44205:$x1: NanoCore.ClientPluginHost
    • 0xfa3a:$x2: IClientNetworkHost
    • 0x44242:$x2: IClientNetworkHost
    • 0x1356d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x47d75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 118 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.RegSvcs.exe.3723f8c.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x40a6:$x1: NanoCore.ClientPluginHost
      5.2.RegSvcs.exe.3723f8c.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x40a6:$x2: NanoCore.ClientPluginHost
      • 0x4184:$s4: PipeCreated
      • 0x40c0:$s5: IClientLoggingHost
      18.2.RegSvcs.exe.2f79650.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x42a6:$x1: NanoCore.ClientPluginHost
      18.2.RegSvcs.exe.2f79650.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x42a6:$x2: NanoCore.ClientPluginHost
      • 0x4384:$s4: PipeCreated
      • 0x42c0:$s5: IClientLoggingHost
      18.2.RegSvcs.exe.2f79650.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0x66a6:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      Click to see the 112 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 6404, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 6404, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif' sqbr.wlw, ParentImage: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif, ParentProcessId: 6032, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 6404
      Sigma detected: Possible Applocker BypassShow sources
      Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif' sqbr.wlw, ParentImage: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif, ParentProcessId: 6032, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 6404

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 6404, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 6404, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 5.2.RegSvcs.exe.474b041.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b2e068.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.474560b.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f6560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.4757078.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b97078.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f6b041.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4ac5058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b2e068.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.4757078.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.4685058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.9b0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46b9860.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f6b041.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb4629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.474b041.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.47407ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b97078.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f607ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689229706.0000000004AFA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720574571.00000000046BA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720414849.0000000003967000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689830421.0000000004B2E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.926541928.00000000036F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720446261.0000000004686000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.691685371.0000000003D67000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.722243638.0000000004723000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723424340.00000000046EE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723331373.00000000046EE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687930988.0000000004A91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.927287391.0000000004739000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689465374.0000000004AC6000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723579153.0000000003967000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723493908.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687770374.0000000004A91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720373529.00000000046BA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687890008.0000000004AC6000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.741599350.00000000009B2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689659391.0000000004B2E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720687094.00000000046EF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687860827.0000000003D67000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.690506336.0000000004A91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720808959.0000000004757000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.925657154.0000000001302000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720643972.00000000046EF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687835172.0000000004AFA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.742225136.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720715564.0000000004723000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.722731102.00000000046BA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.928835225.0000000006FB0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.688888724.0000000004B63000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723107754.0000000004686000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720259774.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: upstsdssm.pif PID: 6032, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6404, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: upstsdssm.pif PID: 3296, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7128, type: MEMORYSTR
      Found malware configurationShow sources
      Source: 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ba2baad0-dd3f-4844-a1e3-4d042f9a", "Group": "HOBBIT", "Domain1": "strongodss.ddns.net", "Domain2": "185.19.85.175", "Port": 48562, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: strongodss.ddns.netVirustotal: Detection: 13%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifReversingLabs: Detection: 32%
      Source: 5.2.RegSvcs.exe.1300000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 5.2.RegSvcs.exe.6fb0000.10.unpackAvira: Label: TR/NanoCore.fadte
      Source: 18.2.RegSvcs.exe.9b0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: KRSEL0000056286.JPG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: KRSEL0000056286.JPG.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: KRSEL0000056286.JPG.exe
      Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.926135585.0000000001AB9000.00000004.00000020.sdmp
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000002.925539870.0000000000EF2000.00000002.00020000.sdmp, RegSvcs.exe, 0000000B.00000000.702040992.0000000000492000.00000002.00020000.sdmp, dhcpmon.exe, 0000000D.00000002.709198428.0000000000D62000.00000002.00020000.sdmp, RegSvcs.exe, 00000012.00000000.721883511.00000000005E2000.00000002.00020000.sdmp, dhcpmon.exe, 00000014.00000000.744063055.0000000000F52000.00000002.00020000.sdmp, RegSvcs.exe.2.dr
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000005.00000002.926541928.00000000036F1000.00000004.00000001.sdmp, RegSvcs.exe, 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmp
      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, dhcpmon.exe, 00000014.00000000.744063055.0000000000F52000.00000002.00020000.sdmp, RegSvcs.exe.2.dr
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile opened: C:\Users\user\AppData\Local\Temp\33911166
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile opened: C:\Users\user
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile opened: C:\Users\user\AppData
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile opened: C:\Users\user\AppData\Local\Temp
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile opened: C:\Users\user\AppData\Local\Temp\33911166\sqbr.wlw
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile opened: C:\Users\user\AppData\Local
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A3A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A59FD3 FindFirstFileExA,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0098399B GetFileAttributesW,FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0099BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009A2408 FindFirstFileW,Sleep,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0099280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009C8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009ACAE7 FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00981A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009ADE7C FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0099BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,

      Networking:

      barindex
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 185.19.85.175 ports 2,4,5,6,8,48562
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: strongodss.ddns.net
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: 185.19.85.175
      Source: Malware configuration extractorURLs: strongodss.ddns.net
      Source: Joe Sandbox ViewASN Name: DATAWIRE-ASCH DATAWIRE-ASCH
      Source: Joe Sandbox ViewIP Address: 185.19.85.175 185.19.85.175
      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 185.19.85.175:48562
      Source: upstsdssm.pif.1.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
      Source: upstsdssm.pif.1.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
      Source: upstsdssm.pif.1.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
      Source: upstsdssm.pif.1.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
      Source: upstsdssm.pif.1.drString found in binary or memory: http://crl.globalsign.net/root.crl0
      Source: dhcpmon.exe, 00000014.00000002.746461861.0000000001587000.00000004.00000020.sdmpString found in binary or memory: http://go.micU
      Source: RegSvcs.exe, 0000000B.00000002.704185603.0000000000B65000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.c
      Source: upstsdssm.pif.1.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
      Source: upstsdssm.pif.1.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
      Source: upstsdssm.pif.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
      Source: upstsdssm.pif.1.drString found in binary or memory: http://www.globalsign.net/repository/0
      Source: upstsdssm.pif.1.drString found in binary or memory: http://www.globalsign.net/repository/03
      Source: upstsdssm.pif.1.drString found in binary or memory: http://www.globalsign.net/repository09
      Source: unknownDNS traffic detected: queries for: strongodss.ddns.net
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00992285 InternetQueryDataAvailable,InternetReadFile,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0099C2F0 GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009AA0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009BD8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,
      Source: RegSvcs.exe, 00000005.00000002.927287391.0000000004739000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009CC7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 5.2.RegSvcs.exe.474b041.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b2e068.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.474560b.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f6560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.4757078.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b97078.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f6b041.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4ac5058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b2e068.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.4757078.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.4685058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.9b0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46b9860.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f6b041.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb4629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.474b041.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.47407ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b97078.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f607ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689229706.0000000004AFA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720574571.00000000046BA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720414849.0000000003967000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689830421.0000000004B2E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.926541928.00000000036F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720446261.0000000004686000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.691685371.0000000003D67000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.722243638.0000000004723000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723424340.00000000046EE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723331373.00000000046EE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687930988.0000000004A91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.927287391.0000000004739000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689465374.0000000004AC6000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723579153.0000000003967000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723493908.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687770374.0000000004A91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720373529.00000000046BA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687890008.0000000004AC6000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.741599350.00000000009B2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689659391.0000000004B2E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720687094.00000000046EF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687860827.0000000003D67000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.690506336.0000000004A91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720808959.0000000004757000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.925657154.0000000001302000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720643972.00000000046EF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687835172.0000000004AFA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.742225136.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720715564.0000000004723000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.722731102.00000000046BA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.928835225.0000000006FB0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.688888724.0000000004B63000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723107754.0000000004686000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720259774.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: upstsdssm.pif PID: 6032, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6404, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: upstsdssm.pif PID: 3296, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7128, type: MEMORYSTR

      Operating System Destruction:

      barindex
      Protects its processes via BreakOnTermination flagShow sources
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: 01 00 00 00

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 5.2.RegSvcs.exe.3723f8c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.RegSvcs.exe.2f79650.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.RegSvcs.exe.2f79650.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.RegSvcs.exe.63a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.RegSvcs.exe.474b041.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.3.upstsdssm.pif.4b2e068.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.3.upstsdssm.pif.4b2e068.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.RegSvcs.exe.474560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.RegSvcs.exe.474560b.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 18.2.RegSvcs.exe.3f6560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.RegSvcs.exe.3f6560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.RegSvcs.exe.6380000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.3.upstsdssm.pif.4757078.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.3.upstsdssm.pif.4b97078.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.3.upstsdssm.pif.4757078.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.upstsdssm.pif.4b97078.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.RegSvcs.exe.6fb0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.RegSvcs.exe.3f6b041.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.3.upstsdssm.pif.4ac5058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.3.upstsdssm.pif.4ac5058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 15.3.upstsdssm.pif.46ee068.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.3.upstsdssm.pif.46ee068.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.RegSvcs.exe.6fb0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.3.upstsdssm.pif.4b2e068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.3.upstsdssm.pif.4b2e068.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.RegSvcs.exe.47407ce.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.3.upstsdssm.pif.4757078.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.3.upstsdssm.pif.4757078.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 15.3.upstsdssm.pif.46ee068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.3.upstsdssm.pif.46ee068.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 15.3.upstsdssm.pif.4685058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.3.upstsdssm.pif.4685058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 15.3.upstsdssm.pif.46b9860.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.3.upstsdssm.pif.46b9860.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 18.2.RegSvcs.exe.3f6b041.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.RegSvcs.exe.6fb4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.RegSvcs.exe.3f607ce.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.RegSvcs.exe.474b041.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.RegSvcs.exe.47407ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.RegSvcs.exe.47407ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.upstsdssm.pif.4b97078.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.3.upstsdssm.pif.4b97078.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 18.2.RegSvcs.exe.2f7e6b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.RegSvcs.exe.3728dec.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.3.upstsdssm.pif.46ee068.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.3.upstsdssm.pif.46ee068.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 18.2.RegSvcs.exe.3f607ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.RegSvcs.exe.3f607ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.RegSvcs.exe.3723f8c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.3.upstsdssm.pif.46ee068.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.3.upstsdssm.pif.46ee068.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.689229706.0000000004AFA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.689229706.0000000004AFA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.720574571.00000000046BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.720574571.00000000046BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.720414849.0000000003967000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.720414849.0000000003967000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.689830421.0000000004B2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.689830421.0000000004B2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.720446261.0000000004686000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.720446261.0000000004686000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.691685371.0000000003D67000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.691685371.0000000003D67000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.722243638.0000000004723000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.722243638.0000000004723000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.723424340.00000000046EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.723424340.00000000046EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.928515040.00000000063A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.723331373.00000000046EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.723331373.00000000046EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.687930988.0000000004A91000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.687930988.0000000004A91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.927287391.0000000004739000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.689465374.0000000004AC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.689465374.0000000004AC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.723579153.0000000003967000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.723579153.0000000003967000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.723493908.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.723493908.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.687770374.0000000004A91000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.687770374.0000000004A91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.720373529.00000000046BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.720373529.00000000046BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.687890008.0000000004AC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.687890008.0000000004AC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000012.00000002.741599350.00000000009B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000012.00000002.741599350.00000000009B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.689659391.0000000004B2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.689659391.0000000004B2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.928459238.0000000006380000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.720687094.00000000046EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.720687094.00000000046EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.687860827.0000000003D67000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.687860827.0000000003D67000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.690506336.0000000004A91000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.690506336.0000000004A91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.720808959.0000000004757000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.720808959.0000000004757000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.925657154.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000005.00000002.925657154.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.720643972.00000000046EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.720643972.00000000046EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.687835172.0000000004AFA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.687835172.0000000004AFA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000012.00000002.742225136.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.720715564.0000000004723000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.720715564.0000000004723000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.722731102.00000000046BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.722731102.00000000046BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.928835225.0000000006FB0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.688888724.0000000004B63000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.688888724.0000000004B63000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.723107754.0000000004686000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.723107754.0000000004686000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000003.720259774.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000003.720259774.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: upstsdssm.pif PID: 6032, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: upstsdssm.pif PID: 6032, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 6404, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegSvcs.exe PID: 6404, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: upstsdssm.pif PID: 3296, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: upstsdssm.pif PID: 3296, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 7128, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegSvcs.exe PID: 7128, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4626D
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A383C0
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A5C0B0
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A330FC
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A50113
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4F3CA
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A433D3
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A3F5C5
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A3E510
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A50548
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A5C55E
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A466A2
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A32692
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4364E
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A60654
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4589E
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4F8C6
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A3E973
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4397F
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A3BAD1
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A3DADD
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A53CBA
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4FCDE
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A46CDB
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A35D7E
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A33EAD
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A53EE9
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A3DF12
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009535F0
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009598F0
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00962136
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0096A137
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0097427D
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0099F3A6
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009598F0
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00962508
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0099655F
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0095F730
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00963721
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0097088F
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0096C8CE
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009628F0
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00961903
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0099EAD5
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009CEA2B
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00973BA1
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00961D98
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00970DE0
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00992D2D
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0099CE8D
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00994EB7
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00971F2C
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 5_2_01A0E480
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 5_2_01A0E471
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 5_2_01A0BBD4
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 5_2_072203F0
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 18_2_0153E471
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 18_2_0153E480
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 18_2_0153BBD4
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00996219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
      Source: upstsdssm.pif.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeSection loaded: dxgidebug.dll
      Source: KRSEL0000056286.JPG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 5.2.RegSvcs.exe.3723f8c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.3723f8c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 18.2.RegSvcs.exe.2f79650.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.RegSvcs.exe.2f79650.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 18.2.RegSvcs.exe.2f79650.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.RegSvcs.exe.2f79650.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.RegSvcs.exe.63a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.63a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.RegSvcs.exe.474b041.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.474b041.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.upstsdssm.pif.4b2e068.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.3.upstsdssm.pif.4b2e068.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.upstsdssm.pif.4b2e068.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.RegSvcs.exe.474560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.474560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.RegSvcs.exe.474560b.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 18.2.RegSvcs.exe.3f6560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.RegSvcs.exe.3f6560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 18.2.RegSvcs.exe.3f6560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.RegSvcs.exe.6380000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.6380000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 15.3.upstsdssm.pif.4757078.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.3.upstsdssm.pif.4757078.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.upstsdssm.pif.4b97078.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.3.upstsdssm.pif.4b97078.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 15.3.upstsdssm.pif.4757078.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.upstsdssm.pif.4b97078.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.RegSvcs.exe.6fb0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.6fb0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 18.2.RegSvcs.exe.3f6b041.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.RegSvcs.exe.3f6b041.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.upstsdssm.pif.4ac5058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.3.upstsdssm.pif.4ac5058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.upstsdssm.pif.4ac5058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 15.3.upstsdssm.pif.46ee068.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.3.upstsdssm.pif.46ee068.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 15.3.upstsdssm.pif.46ee068.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.RegSvcs.exe.6fb0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.6fb0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.upstsdssm.pif.4b2e068.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.3.upstsdssm.pif.4b2e068.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.upstsdssm.pif.4b2e068.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.RegSvcs.exe.47407ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.47407ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 15.3.upstsdssm.pif.4757078.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.3.upstsdssm.pif.4757078.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 15.3.upstsdssm.pif.4757078.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 15.3.upstsdssm.pif.46ee068.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.3.upstsdssm.pif.46ee068.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 15.3.upstsdssm.pif.46ee068.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 15.3.upstsdssm.pif.4685058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.3.upstsdssm.pif.4685058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 15.3.upstsdssm.pif.4685058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 15.3.upstsdssm.pif.46b9860.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.3.upstsdssm.pif.46b9860.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 15.3.upstsdssm.pif.46b9860.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 18.2.RegSvcs.exe.3f6b041.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.RegSvcs.exe.3f6b041.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.RegSvcs.exe.6fb4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.6fb4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 18.2.RegSvcs.exe.3f607ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.RegSvcs.exe.3f607ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.RegSvcs.exe.474b041.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.474b041.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.RegSvcs.exe.47407ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.47407ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.RegSvcs.exe.47407ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.upstsdssm.pif.4b97078.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.3.upstsdssm.pif.4b97078.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.upstsdssm.pif.4b97078.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 18.2.RegSvcs.exe.2f7e6b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.RegSvcs.exe.2f7e6b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.2.RegSvcs.exe.3728dec.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.3728dec.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 15.3.upstsdssm.pif.46ee068.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.3.upstsdssm.pif.46ee068.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 15.3.upstsdssm.pif.46ee068.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 18.2.RegSvcs.exe.3f607ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.RegSvcs.exe.3f607ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 18.2.RegSvcs.exe.3f607ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.RegSvcs.exe.3723f8c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.RegSvcs.exe.3723f8c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 15.3.upstsdssm.pif.46ee068.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.3.upstsdssm.pif.46ee068.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 15.3.upstsdssm.pif.46ee068.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.689229706.0000000004AFA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.689229706.0000000004AFA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.720574571.00000000046BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.720574571.00000000046BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.720414849.0000000003967000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.720414849.0000000003967000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.689830421.0000000004B2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.689830421.0000000004B2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.720446261.0000000004686000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.720446261.0000000004686000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.691685371.0000000003D67000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.691685371.0000000003D67000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.722243638.0000000004723000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.722243638.0000000004723000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.723424340.00000000046EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.723424340.00000000046EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000002.928515040.00000000063A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000005.00000002.928515040.00000000063A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000F.00000003.723331373.00000000046EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.723331373.00000000046EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.687930988.0000000004A91000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.687930988.0000000004A91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000002.927287391.0000000004739000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.689465374.0000000004AC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.689465374.0000000004AC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.723579153.0000000003967000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.723579153.0000000003967000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.723493908.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.723493908.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.687770374.0000000004A91000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.687770374.0000000004A91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.720373529.00000000046BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.720373529.00000000046BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.687890008.0000000004AC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.687890008.0000000004AC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000012.00000002.741599350.00000000009B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000012.00000002.741599350.00000000009B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.689659391.0000000004B2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.689659391.0000000004B2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000002.928459238.0000000006380000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000005.00000002.928459238.0000000006380000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000F.00000003.720687094.00000000046EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.720687094.00000000046EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.687860827.0000000003D67000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.687860827.0000000003D67000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.690506336.0000000004A91000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.690506336.0000000004A91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.720808959.0000000004757000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.720808959.0000000004757000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000002.925657154.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000005.00000002.925657154.0000000001302000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.720643972.00000000046EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.720643972.00000000046EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.687835172.0000000004AFA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.687835172.0000000004AFA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000012.00000002.742225136.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.720715564.0000000004723000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.720715564.0000000004723000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.722731102.00000000046BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.722731102.00000000046BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000002.928835225.0000000006FB0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000005.00000002.928835225.0000000006FB0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.688888724.0000000004B63000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000003.688888724.0000000004B63000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.723107754.0000000004686000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.723107754.0000000004686000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000003.720259774.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000003.720259774.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: upstsdssm.pif PID: 6032, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: upstsdssm.pif PID: 6032, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 6404, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegSvcs.exe PID: 6404, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: upstsdssm.pif PID: 3296, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: upstsdssm.pif PID: 3296, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 7128, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegSvcs.exe PID: 7128, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009833A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: String function: 00A4D940 appears 51 times
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: String function: 00A4D870 appears 35 times
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: String function: 00A4E2F0 appears 31 times
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: String function: 009614F7 appears 36 times
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: String function: 00966B90 appears 39 times
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: String function: 009959E6 appears 65 times
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A36FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
      Source: KRSEL0000056286.JPG.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@21/45@12/1
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeFile read: C:\Windows\win.iniJump to behavior
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A36D06 GetLastError,FormatMessageW,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\33911166\Update.vbs'
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeFile read: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeJump to behavior
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\KRSEL0000056286.JPG.exe 'C:\Users\user\Desktop\KRSEL0000056286.JPG.exe'
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeProcess created: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif 'C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif' sqbr.wlw
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2BE4.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2F02.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif 'C:\Users\user\AppData\Local\Temp\33911166\UPSTSD~1.PIF' C:\Users\user\AppData\Local\Temp\33911166\sqbr.wlw
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\33911166\Update.vbs'
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeProcess created: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif 'C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif' sqbr.wlw
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2BE4.tmp'
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2F02.tmp'
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009833A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009B4AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeFile created: C:\Users\user\AppData\Local\Temp\33911166Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009BE0F6 CoInitialize,CoCreateInstance,CoUninitialize,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009AD606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009C557E CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2600:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1372:120:WilError_01
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ba2baad0-dd3f-4844-a1e3-4d042f9ae8b6}
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCommand line argument: sfxname
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCommand line argument: sfxstime
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCommand line argument: STARTDLG
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeFile written: C:\Users\user\AppData\Local\Temp\33911166\rwnbbebwm.iniJump to behavior
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: KRSEL0000056286.JPG.exeStatic file information: File size 1096674 > 1048576
      Source: KRSEL0000056286.JPG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: KRSEL0000056286.JPG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: KRSEL0000056286.JPG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: KRSEL0000056286.JPG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: KRSEL0000056286.JPG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: KRSEL0000056286.JPG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: KRSEL0000056286.JPG.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: KRSEL0000056286.JPG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: KRSEL0000056286.JPG.exe
      Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.926135585.0000000001AB9000.00000004.00000020.sdmp
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000002.925539870.0000000000EF2000.00000002.00020000.sdmp, RegSvcs.exe, 0000000B.00000000.702040992.0000000000492000.00000002.00020000.sdmp, dhcpmon.exe, 0000000D.00000002.709198428.0000000000D62000.00000002.00020000.sdmp, RegSvcs.exe, 00000012.00000000.721883511.00000000005E2000.00000002.00020000.sdmp, dhcpmon.exe, 00000014.00000000.744063055.0000000000F52000.00000002.00020000.sdmp, RegSvcs.exe.2.dr
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000005.00000002.926541928.00000000036F1000.00000004.00000001.sdmp, RegSvcs.exe, 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmp
      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, dhcpmon.exe, 00000014.00000000.744063055.0000000000F52000.00000002.00020000.sdmp, RegSvcs.exe.2.dr
      Source: KRSEL0000056286.JPG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: KRSEL0000056286.JPG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: KRSEL0000056286.JPG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: KRSEL0000056286.JPG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: KRSEL0000056286.JPG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4E336 push ecx; ret
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4D870 push eax; ret
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00966BD5 push ecx; ret
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 5_2_07222970 push es; ret
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 15_2_00E21AEF push es; ret
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 15_2_00E232CB push edi; iretd
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 15_2_00E24AD6 push ds; retf
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 15_2_00E1F6A2 push ebx; iretd
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 15_2_00E24BA5 push eax; iretd
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 15_2_00E23AA9 push esp; ret
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 15_2_00E2496B push edx; ret
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 15_2_00E25855 push FFFFFFC4h; iretd
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 15_2_00E24317 push dword ptr [ebp+7Fh]; ret
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 15_2_00E2311D push ebp; retf
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0095EE30 LoadLibraryA,GetProcAddress,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeFile created: C:\Users\user\AppData\Local\Temp\33911166\__tmp_rar_sfx_access_check_6219562Jump to behavior
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 5.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 18.2.RegSvcs.exe.9b0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

      Persistence and Installation Behavior:

      barindex
      Drops PE files with a suspicious file extensionShow sources
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeFile created: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifJump to dropped file
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeFile created: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2BE4.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: jpg.exeStatic PE information: KRSEL0000056286.JPG.exe
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009CA2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009843FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM autoit scriptShow sources
      Source: Yara matchFile source: Process Memory Space: upstsdssm.pif PID: 6032, type: MEMORYSTR
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif TID: 352Thread sleep count: 62 > 30
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif TID: 352Thread sleep count: 48 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6820Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif TID: 6828Thread sleep count: 73 > 30
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif TID: 6828Thread sleep count: 118 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6420Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 6054
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 3445
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: foregroundWindowGot 771
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile opened: C:\Users\user\AppData\Local\Temp\33911166
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile opened: C:\Users\user
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile opened: C:\Users\user\AppData
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile opened: C:\Users\user\AppData\Local\Temp
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile opened: C:\Users\user\AppData\Local\Temp\33911166\sqbr.wlw
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifFile opened: C:\Users\user\AppData\Local
      Source: upstsdssm.pif, 0000000F.00000003.727864603.00000000038C1000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") Then
      Source: upstsdssm.pif, 00000002.00000003.698185321.0000000003CE7000.00000004.00000001.sdmpBinary or memory string: VboxService.exefE
      Source: upstsdssm.pif, 0000000F.00000003.727864603.00000000038C1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then7n
      Source: upstsdssm.pif, 0000000F.00000003.730905321.00000000038E2000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe
      Source: sqbr.wlw.1.drBinary or memory string: If ProcessExists("VMwaretray.exe") Then
      Source: sqbr.wlw.1.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
      Source: upstsdssm.pif, 00000002.00000003.696703063.0000000003CC1000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") Then41c
      Source: upstsdssm.pif, 0000000F.00000003.727864603.00000000038C1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
      Source: upstsdssm.pif, 0000000F.00000003.730905321.00000000038E2000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe8
      Source: sqbr.wlw.1.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
      Source: upstsdssm.pif, 00000002.00000002.699453431.0000000003CBF000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe:
      Source: upstsdssm.pif, 0000000F.00000003.730905321.00000000038E2000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exeE97637D6{"
      Source: RegSvcs.exe, 00000005.00000002.926163307.0000000001AD5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: upstsdssm.pif, 00000002.00000003.683786597.0000000003CB1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then41c>2
      Source: upstsdssm.pif, 0000000F.00000003.730905321.00000000038E2000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe
      Source: upstsdssm.pif, 00000002.00000003.696703063.0000000003CC1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then9K
      Source: upstsdssm.pif, 00000002.00000003.683786597.0000000003CB1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then9K!2
      Source: upstsdssm.pif, 00000002.00000003.683786597.0000000003CB1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
      Source: upstsdssm.pif, 00000002.00000003.698185321.0000000003CE7000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe<E
      Source: sqbr.wlw.1.drBinary or memory string: If ProcessExists("VboxService.exe") Then
      Source: upstsdssm.pif, 00000002.00000003.698185321.0000000003CE7000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe
      Source: upstsdssm.pif, 0000000F.00000003.727864603.00000000038C1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then1z0
      Source: upstsdssm.pif, 00000002.00000002.699453431.0000000003CBF000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exeE97637D6
      Source: upstsdssm.pif, 0000000F.00000003.730905321.00000000038E2000.00000004.00000001.sdmpBinary or memory string: VboxService.exe
      Source: upstsdssm.pif, 00000002.00000003.683786597.0000000003CB1000.00000004.00000001.sdmp, upstsdssm.pif, 0000000F.00000003.727864603.00000000038C1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
      Source: sqbr.wlw.1.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4D353 VirtualQuery,GetSystemInfo,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A3A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A59FD3 FindFirstFileExA,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0098399B GetFileAttributesW,FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0099BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009A2408 FindFirstFileW,Sleep,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0099280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009C8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009ACAE7 FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00981A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009ADE7C FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0099BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0095EE30 LoadLibraryA,GetProcAddress,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A56AF3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A5ACA1 GetProcessHeap,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009AA35D BlockInput,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4E643 SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A57BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0096F170 SetUnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0096A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00967CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 protect: page execute and read and write
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 value starts with: 4D5A
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1013000
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009843FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeProcess created: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif 'C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif' sqbr.wlw
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2BE4.tmp'
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2F02.tmp'
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00986C61 LogonUserW,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0095D7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_00983321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0099602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
      Source: upstsdssm.pif, 00000002.00000003.698185321.0000000003CE7000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.926683829.00000000037F7000.00000004.00000001.sdmp, upstsdssm.pif, 0000000F.00000003.730905321.00000000038E2000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: upstsdssm.pif.1.drBinary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
      Source: upstsdssm.pif, RegSvcs.exe, 00000005.00000002.926386803.0000000002190000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: RegSvcs.exe, 00000005.00000002.926386803.0000000002190000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: upstsdssm.pif, 00000002.00000003.696703063.0000000003CC1000.00000004.00000001.sdmp, upstsdssm.pif, 0000000F.00000003.727864603.00000000038C1000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
      Source: RegSvcs.exe, 00000005.00000002.926683829.00000000037F7000.00000004.00000001.sdmpBinary or memory string: Program ManagerD2
      Source: sqbr.wlw.1.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
      Source: RegSvcs.exe, 00000005.00000002.926386803.0000000002190000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: upstsdssm.pif, 00000002.00000000.676789182.00000000009D2000.00000002.00020000.sdmpBinary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
      Source: upstsdssm.pif, 00000002.00000003.683786597.0000000003CB1000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then>2
      Source: RegSvcs.exe, 00000005.00000002.926808188.00000000038BD000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: GetLocaleInfoW,GetNumberFormatW,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4E34B cpuid
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A4CBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_0096E284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009C2BF9 GetUserNameW,
      Source: C:\Users\user\Desktop\KRSEL0000056286.JPG.exeCode function: 1_2_00A3A995 GetVersionExW,

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 5.2.RegSvcs.exe.474b041.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b2e068.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.474560b.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f6560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.4757078.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b97078.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f6b041.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4ac5058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b2e068.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.4757078.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.4685058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.9b0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46b9860.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f6b041.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb4629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.474b041.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.47407ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b97078.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f607ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689229706.0000000004AFA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720574571.00000000046BA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720414849.0000000003967000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689830421.0000000004B2E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.926541928.00000000036F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720446261.0000000004686000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.691685371.0000000003D67000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.722243638.0000000004723000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723424340.00000000046EE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723331373.00000000046EE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687930988.0000000004A91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.927287391.0000000004739000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689465374.0000000004AC6000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723579153.0000000003967000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723493908.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687770374.0000000004A91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720373529.00000000046BA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687890008.0000000004AC6000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.741599350.00000000009B2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689659391.0000000004B2E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720687094.00000000046EF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687860827.0000000003D67000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.690506336.0000000004A91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720808959.0000000004757000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.925657154.0000000001302000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720643972.00000000046EF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687835172.0000000004AFA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.742225136.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720715564.0000000004723000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.722731102.00000000046BA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.928835225.0000000006FB0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.688888724.0000000004B63000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723107754.0000000004686000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720259774.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: upstsdssm.pif PID: 6032, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6404, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: upstsdssm.pif PID: 3296, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7128, type: MEMORYSTR
      Source: upstsdssm.pifBinary or memory string: WIN_XP
      Source: upstsdssm.pifBinary or memory string: WIN_XPe
      Source: upstsdssm.pifBinary or memory string: WIN_VISTA
      Source: upstsdssm.pif.1.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
      Source: upstsdssm.pifBinary or memory string: WIN_7
      Source: upstsdssm.pifBinary or memory string: WIN_8

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: upstsdssm.pif, 00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000005.00000002.926541928.00000000036F1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000005.00000002.926541928.00000000036F1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000005.00000002.926541928.00000000036F1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: upstsdssm.pif, 0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 5.2.RegSvcs.exe.474b041.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b2e068.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.474560b.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f6560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.4757078.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b97078.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f6b041.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4ac5058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b2e068.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.4757078.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.4685058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.9b0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46b9860.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f6b041.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.6fb4629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.474b041.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.RegSvcs.exe.47407ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.upstsdssm.pif.4b97078.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.RegSvcs.exe.3f607ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.3.upstsdssm.pif.46ee068.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689229706.0000000004AFA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720574571.00000000046BA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720414849.0000000003967000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689830421.0000000004B2E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.926541928.00000000036F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720446261.0000000004686000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.691685371.0000000003D67000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.722243638.0000000004723000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723424340.00000000046EE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723331373.00000000046EE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687930988.0000000004A91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.927287391.0000000004739000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689465374.0000000004AC6000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723579153.0000000003967000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723493908.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687770374.0000000004A91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720373529.00000000046BA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687890008.0000000004AC6000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.741599350.00000000009B2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.689659391.0000000004B2E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720687094.00000000046EF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687860827.0000000003D67000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.690506336.0000000004A91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720808959.0000000004757000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.925657154.0000000001302000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720643972.00000000046EF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.687835172.0000000004AFA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.742225136.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720715564.0000000004723000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.722731102.00000000046BA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.928835225.0000000006FB0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.688888724.0000000004B63000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.723107754.0000000004686000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000003.720259774.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: upstsdssm.pif PID: 6032, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6404, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: upstsdssm.pif PID: 3296, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7128, type: MEMORYSTR
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009BC06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009C65D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,
      Source: C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pifCode function: 2_2_009B4EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts2Scripting11DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools11Input Capture31System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
      Default AccountsNative API1Valid Accounts2DLL Side-Loading1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture31Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Valid Accounts2Scripting11Security Account ManagerFile and Directory Discovery4SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsScheduled Task/Job1Logon Script (Mac)Access Token Manipulation21Obfuscated Files or Information12NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptProcess Injection312Software Packing12LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonScheduled Task/Job1DLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery121VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol21Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading22DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobValid Accounts2Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion21/etc/passwd and /etc/shadowApplication Window Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation21Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection312Input CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
      Compromise Software Supply ChainUnix ShellLaunchdLaunchdHidden Files and Directories1KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 501775 Sample: KRSEL0000056286.JPG.scr Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 57 strongodss.ddns.net 2->57 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 10 other signatures 2->71 10 KRSEL0000056286.JPG.exe 39 2->10         started        14 RegSvcs.exe 2 2->14         started        16 dhcpmon.exe 2 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 53 C:\Users\user\AppData\Local\...\upstsdssm.pif, PE32 10->53 dropped 81 Drops PE files with a suspicious file extension 10->81 20 upstsdssm.pif 2 4 10->20         started        24 conhost.exe 14->24         started        26 conhost.exe 16->26         started        28 RegSvcs.exe 2 18->28         started        30 conhost.exe 18->30         started        signatures6 process7 file8 51 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 20->51 dropped 73 Multi AV Scanner detection for dropped file 20->73 75 Writes to foreign memory regions 20->75 77 Allocates memory in foreign processes 20->77 79 Injects a PE file into a foreign processes 20->79 32 RegSvcs.exe 1 11 20->32         started        signatures9 process10 dnsIp11 55 strongodss.ddns.net 185.19.85.175, 48562, 49765, 49766 DATAWIRE-ASCH Switzerland 32->55 45 C:\Users\user\AppData\Roaming\...\run.dat, data 32->45 dropped 47 C:\Users\user\AppData\Local\...\tmp2BE4.tmp, XML 32->47 dropped 49 C:\Program Files (x86)\...\dhcpmon.exe, PE32 32->49 dropped 59 Protects its processes via BreakOnTermination flag 32->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 32->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->63 37 schtasks.exe 1 32->37         started        39 schtasks.exe 1 32->39         started        file12 signatures13 process14 process15 41 conhost.exe 37->41         started        43 conhost.exe 39->43         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif32%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      5.2.RegSvcs.exe.1300000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      5.2.RegSvcs.exe.6fb0000.10.unpack100%AviraTR/NanoCore.fadteDownload File
      18.2.RegSvcs.exe.9b0000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      strongodss.ddns.net13%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://secure.globalsign.net/cacert/PrimObject.crt00%URL Reputationsafe
      185.19.85.1754%VirustotalBrowse
      185.19.85.1750%Avira URL Cloudsafe
      http://go.microsoft.c0%URL Reputationsafe
      http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
      http://www.globalsign.net/repository090%URL Reputationsafe
      http://go.micU0%Avira URL Cloudsafe
      http://www.globalsign.net/repository/00%URL Reputationsafe
      strongodss.ddns.net0%Avira URL Cloudsafe
      http://www.globalsign.net/repository/030%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      strongodss.ddns.net
      		185.19.85.175
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      185.19.85.175true
      • 4%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      strongodss.ddns.nettrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://secure.globalsign.net/cacert/PrimObject.crt0upstsdssm.pif.1.drfalse
      • URL Reputation: safe
      		unknown
      http://go.microsoft.cRegSvcs.exe, 0000000B.00000002.704185603.0000000000B65000.00000004.00000020.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://secure.globalsign.net/cacert/ObjectSign.crt09upstsdssm.pif.1.drfalse
      • URL Reputation: safe
      		unknown
      http://www.globalsign.net/repository09upstsdssm.pif.1.drfalse
      • URL Reputation: safe
      		unknown
      http://go.micUdhcpmon.exe, 00000014.00000002.746461861.0000000001587000.00000004.00000020.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.autoitscript.com/autoit3/0upstsdssm.pif.1.drfalse
        		high
        http://www.globalsign.net/repository/0upstsdssm.pif.1.drfalse
        • URL Reputation: safe
        		unknown
        http://www.globalsign.net/repository/03upstsdssm.pif.1.drfalse
        • URL Reputation: safe
        		unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        185.19.85.175
        		strongodss.ddns.netSwitzerland
        		48971DATAWIRE-ASCHtrue

        General Information

        Joe Sandbox Version:33.0.0 White Diamond
        Analysis ID:501775
        Start date:13.10.2021
        Start time:08:48:09
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 14m 0s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:KRSEL0000056286.JPG.scr (renamed file extension from scr to exe)
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:33
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@21/45@12/1
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 24.6% (good quality ratio 23.4%)
        • Quality average: 75.1%
        • Quality standard deviation: 27.8%
        HCA Information:
        • Successful, ratio: 60%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • TCP Packets have been reduced to 100
        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 20.82.210.154, 23.203.141.148, 20.54.110.249, 52.251.79.25, 40.112.88.60, 2.20.178.24, 2.20.178.33
        • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
        • Not all processes where analyzed, report is missing behavior information
        • Report creation exceeded maximum time and may have missing disassembly code information.
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        08:49:17AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Local\Temp\33911166\UPSTSD~1.PIF C:\Users\user\AppData\Local\Temp\33911166\sqbr.wlw
        08:49:22Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
        08:49:23API Interceptor902x Sleep call for process: RegSvcs.exe modified
        08:49:25Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
        08:49:26AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Local\Temp\33911166\Update.vbs
        08:49:34AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        185.19.85.175dAkJsQr7A9.exeGet hashmaliciousBrowse
          dUzAkYsvl8.exeGet hashmaliciousBrowse
            voo7b2BBq6.exeGet hashmaliciousBrowse
              xmsGPH324z.exeGet hashmaliciousBrowse
                dVWsghK4Aj.exeGet hashmaliciousBrowse
                  2E9xpfvD2O.exeGet hashmaliciousBrowse
                    uF74GlbXPc.exeGet hashmaliciousBrowse
                      jFjTeUfek3.exeGet hashmaliciousBrowse
                        Q7DYDgQhKp.exeGet hashmaliciousBrowse
                          dlDGpRFSEo.exeGet hashmaliciousBrowse
                            s8uDIcv0XT.exeGet hashmaliciousBrowse
                              LRlhF3NgEM.exeGet hashmaliciousBrowse
                                iCtAiCA2Eg.exeGet hashmaliciousBrowse
                                  STC8924578611.JPG.exeGet hashmaliciousBrowse
                                    BK7489583093410.JPG.exeGet hashmaliciousBrowse
                                      FFXML21050419.exeGet hashmaliciousBrowse
                                        mzyDSLb1u9.exeGet hashmaliciousBrowse
                                          Doc.202107028.exeGet hashmaliciousBrowse
                                            Shipping#docs.exeGet hashmaliciousBrowse
                                              DOEN100000597.exeGet hashmaliciousBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                strongodss.ddns.netdAkJsQr7A9.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                dUzAkYsvl8.exeGet hashmaliciousBrowse
                                                • 197.210.84.227
                                                voo7b2BBq6.exeGet hashmaliciousBrowse
                                                • 105.112.32.231
                                                xmsGPH324z.exeGet hashmaliciousBrowse
                                                • 105.112.32.231
                                                dVWsghK4Aj.exeGet hashmaliciousBrowse
                                                • 105.112.32.231
                                                s8uDIcv0XT.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                LRlhF3NgEM.exeGet hashmaliciousBrowse
                                                • 105.112.228.76
                                                iCtAiCA2Eg.exeGet hashmaliciousBrowse
                                                • 105.112.228.76
                                                STC8924578611.JPG.exeGet hashmaliciousBrowse
                                                • 105.112.98.218
                                                BK7489583093410.JPG.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                FFXML21050419.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                mzyDSLb1u9.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                Doc.202107028.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                Shipping#docs.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                DOEN100000597.exeGet hashmaliciousBrowse
                                                • 185.19.85.175

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                DATAWIRE-ASCHQuotation Request.pdf.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                Proof of payment.jpg.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                Proof of payment.jpg.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                MT103 10.11.pdf.exeGet hashmaliciousBrowse
                                                • 185.19.85.136
                                                dAkJsQr7A9.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                GIV PO 00254.xls.exeGet hashmaliciousBrowse
                                                • 185.19.85.136
                                                dUzAkYsvl8.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                BL & INVOICE.exeGet hashmaliciousBrowse
                                                • 185.19.85.171
                                                Routing Details.vbsGet hashmaliciousBrowse
                                                • 185.19.85.170
                                                Nueva orden #7624.xls.exeGet hashmaliciousBrowse
                                                • 185.19.85.136
                                                voo7b2BBq6.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                xmsGPH324z.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                dVWsghK4Aj.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                ShippingDocs.exeGet hashmaliciousBrowse
                                                • 185.19.85.171
                                                2E9xpfvD2O.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                uF74GlbXPc.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                jFjTeUfek3.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                Q7DYDgQhKp.exeGet hashmaliciousBrowse
                                                • 185.19.85.175

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):45152
                                                Entropy (8bit):6.149629800481177
                                                Encrypted:false
                                                SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                MD5:2867A3817C9245F7CF518524DFD18F28
                                                SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Reputation:unknown
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):142
                                                Entropy (8bit):5.090621108356562
                                                Encrypted:false
                                                SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                MD5:8C0458BB9EA02D50565175E38D577E35
                                                SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):142
                                                Entropy (8bit):5.090621108356562
                                                Encrypted:false
                                                SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                MD5:8C0458BB9EA02D50565175E38D577E35
                                                SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                C:\Users\user\AppData\Local\Temp\33911166\Update.vbs
                                                Process:C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif
                                                File Type:ASCII text, with no line terminators
                                                Category:modified
                                                Size (bytes):143
                                                Entropy (8bit):5.044581587746334
                                                Encrypted:false
                                                SSDEEP:3:FER/n0eFH5Ot+kiE2J5xAIdcET6WGbUouZDt+kiE2J5xAIdcETpHu0:FER/lFHIwkn23fdcE+wouNwkn23fdcEX
                                                MD5:BED3F060611547B9D81952389AC2B088
                                                SHA1:E616E3AA0EA8E297A2602242E13A3477681287A2
                                                SHA-256:B7A9F2DD4089C938788C6051D903B01E0C2AED713513E4DFB134FE5C91949255
                                                SHA-512:2846E849DFB88B360CAD6B8278AC6817F9930CD45F0D64EF67EBD1F187A1DA87B9FC2FA4CD9BD8728FBE2D822F15481649F3576F58DDA061AE1A22428A038A00
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\33911166\UPSTSD~1.PIF C:\Users\user\AppData\Local\Temp\33911166\sqbr.wlw"
                                                C:\Users\user\AppData\Local\Temp\33911166\acdtfoidpw.exe
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):530
                                                Entropy (8bit):5.482370918685384
                                                Encrypted:false
                                                SSDEEP:12:c+uhAYRz7mGknY23TSWKm9VjOSK74jh51Nd7DQAycx3/:buhRz7GY21Km9tKcjh5eAF
                                                MD5:EFAC1E031262E2FD22D77BE15E450C43
                                                SHA1:BBF4B853791A783536E3BC4CDFB81493210A50FF
                                                SHA-256:883906DBD80E79B4B55A2F49D42E19B816A8C37822918923875C57A9D2BB3F34
                                                SHA-512:D8680BABFC3ACD23ABEE5B4928C79C2BFCD00ABC6DF736D96BDC0E9644D530747981311F8280E585E351BDAA0BDAE2ED62D8FE8E33DA748626A5AB7CB813116A
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 8K7X17O1885c..j1KAMNUl252X1sHZ51..u7it910lQO9dAt9456Ev719K37eZ7720306ZXpvVZ991pQ3Ev0c7KM26k8P6uE4spLS30tk01yI15..i889Dogm41v1ZfL04ri56R3L4sT27C377C571SH6xR0F057y6OE30Ng9xkC7eE57VHVy80f5eL7295pd9..J995x8CHo0wCK145p7J22V69dor0Hb38o0T53ZX01D5KB7E9X4F30tu4lS0M..I1aR0d2997oWYEn5BL23n487H98508LP0J1DchsD06jqM945NM931e3Z26ZG0mx62PINc91kj773tYl5849I818a728d19P2s2rvj1do3vk16Yl815633m135GrdN7F04r..71tjt8392h49FHXM3Ra31E9b43UrK78NRZ9pb8ts14473M66t8PyP5189gbia01YUH0UG9SO21517qs8vFuGA3o2c8246i768x7n8h8i83107LSz950m572o4yAy8r85BZxgDGY38p..
                                                C:\Users\user\AppData\Local\Temp\33911166\bbslmxx.mp3
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):508
                                                Entropy (8bit):5.503691278659062
                                                Encrypted:false
                                                SSDEEP:12:zRsYoVZfEJIX/USsdRdy5pX29Ib5vimc1Q62U8dz8wYIPpyTVRyuZQh:9snVSJqcc5pX2eb5viw7dz83IRyTdZQh
                                                MD5:B9BE27AD54D7859E5865D3F2A9511ED4
                                                SHA1:3DCEB86073B93C870191B8272A158F1E45E68246
                                                SHA-256:F53C1F020873EC6243B519A39A8AD0B8FB46AD23536847BB3A82F3B68BC3EF14
                                                SHA-512:830EDF52B04C1894D00C4CB39C879BD6559031C1B3B2B01187BAA1A34D23CE369336A09AAE3A19D69C41BC36256CFE00B7B246AC682A52351A363B9FE0232960
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: m92sa69qA70jT794Y9U8gl2U5QJrk87y2c34q95QZKCWfi60X736A4FB603S9E20dzNLa..9R0Y55m2ui46Tlo6g9F000924mJt6ED1HMFlW2p0171n29b3iWwlS7i84NV8ac031Pb4Eyf55g4Bj77kxTw2L519R1cT7054r87Z9g41292w59v563C5T9N03a0N0692926827G1Qa846T8750v2x9N1M5BlDGci..6Z3T719h14YM48sa8261iJ3nBi48s606P2NJuPC990B55UU0331HEk2kH44Lar253Mt7BY2st2O55NPVtOx7I89..il9jcg1Zu2Wz3358j09b441CRdfHL2aH8tyOO3E8ab29V361yL94O8nw9XBa54253U6SMs1263jhJj530oDPxYWClgP699ZB3Q1W6Q79WC0JmT4424L0u41Y7WDrYxa42e6T975l273Q8D6vA5f3XBz3F61..71W8SmKH41i6TLfMhc71LwUrMr7..
                                                C:\Users\user\AppData\Local\Temp\33911166\blmcuvi.bin
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):658
                                                Entropy (8bit):5.467503965290551
                                                Encrypted:false
                                                SSDEEP:12:+cfeRsKimVAe1UNHkAEaBHuLycVA/2hMfX+SS/cF+pHXAG:jfeRsKLBrK0yczhMvjSUF+JXB
                                                MD5:07B5B11DD6CFDF00045139785AB35285
                                                SHA1:EAEF5689C59036D435A492A918060F4219C3DA97
                                                SHA-256:81D5A96885A8D2CEC546D2E35259A79F77B3EFCC094DD69A17E7C838B50D431D
                                                SHA-512:87DC099983D80B18FA2598AC5B0995E17D699669C042DD8F8C13F0C9250DDC955ECBE2AF68A83FFA3E53EC5A89CE2F532B733C11E7A2AC5723E0C43BA74298D1
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: HJR5W1vkK1FO27gUC3Ex90xV6PO85..6E044l1246U7740FAdPbd34679GDz72a9N32636a13h4Jqoo342F0..li2IY041680r7567tI56s7Ft3VzmZ347JE40QQ1r9gd7Rn0R0B4qd19OLyyS377d90r61w58bw..9LF7q8c251VO1s2YvzSX33169m350Q7w14fZ05Ibnm6a84EUC8M71n0CEaq9U3926c45w9C0I56x3b3P5PWK6qOA..3XL5eGsn0cw6n3H7f5585oM82d3002V3560740L543nPVdFK77090g8A15y27N9WnBY1Ot8J2X7M9w8951x7M3Y28D9Dm8WH1dgh9gZF124PVkCf558C7T7768yA7l6..5490qz70DQ6J..VjEN33117T10784F84y342DFd3m473P374bfHe7561b09P09o2J0275aq5DN0ee792x7ab1884Su71D68A93uhYTRN3786eSb23Ed..98V3408q1VCNDo6I58Jqrv80YO9R7nF92vsA5899yb6881ecYJT3x80yyl2p12o5269G8Rp8W42O2L19338GV34H4m2Ti5Ol846kKi3A1Ig5115RTsJ2p9S7043b6GPCKD31UK86l6L2v968341rHeEh5ph1lf..
                                                C:\Users\user\AppData\Local\Temp\33911166\efupmjbj.log
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):601
                                                Entropy (8bit):5.452469277963245
                                                Encrypted:false
                                                SSDEEP:12:H25YoBjHv8bI4Cs9bSURlMj88Zd8jAGRWutiQ/XGc3yThf:aYwjPqRRSwe88TuA0WXkR3yThf
                                                MD5:B7344FC88743A3363933C407A6CFB8A3
                                                SHA1:8B6A0AF17F9D47F2808D18E0BB16070F70546BA1
                                                SHA-256:D9B344EFA5CC19DF933DE017C2310C1D4F4B76FBCC75CB47C00AB1F269C8CD35
                                                SHA-512:CACCAA4968B6FB795F697722481234016E8BB214B24186A75989E4F4E01E5EA75A6477A4CEF0C156BE611BF1728134C6E50AE3A736F4C2B6D0E1EAA974FD4245
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 3Ak222AS325P254YMKr2u8FTKpISJb43G2H7Uyh82U4359eCaR5l43395p7K6G7Q90nl99gj9x12q821G88q27W111W4uz96eib9eTy834E09E24..GK76e30iv97m7586u2deq8GJK85NJ67sw6525U70580lPCB03WZ0s4OC1n539RpwMY0Y7p99R654Bjdxs81s454xj1K2765J9b37t3Zs..e0avgh4G4jB1d27E3eyewv7M0Q64qKYG277g130u02mrEZZbZf57297ic9N8kWs15T74497Gn..p41t3gE84y9G07J1173CDC7uSzu0185I3DLf6k1I83gi8I238myo3A500l7179P6578T27L..90V03i1N0Q3JQ0355x72j2w6L7jy1r7n742nvB74Sd9d5NY9IoaW2aP6C4491W9D0t0676Qv8q6x811Rj0s8MX1w88m126sJW208QLOJ22Q6RDiDwNAw50..Q269PO39L878R2989Z0V3n4Ks95H2Y4v1fQ4J8Cx8G17X5l950V3i8rg485eTh0W531uCax353Zh98PpNYYjh1j61KfOY420g775qb45t316656..
                                                C:\Users\user\AppData\Local\Temp\33911166\egccradum.rpq
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with very long lines, with no line terminators
                                                Category:dropped
                                                Size (bytes):430098
                                                Entropy (8bit):4.00001165117451
                                                Encrypted:false
                                                SSDEEP:6144:2pppWZDs2KIfh1c5iCuUtz1zdH6tL7GdFfwT2dtk5:2pCffhwJzhtaUs2dw
                                                MD5:8A7C869AD69DD7EC00AA3FBD4AFA5DA0
                                                SHA1:4760A47040FC0F93BE6CCC80261DB6BC31700E55
                                                SHA-256:22B4837BB2B0E795AEFD607EFE9175CA7EA6DA100300CB9277EA84D9CD19D3D3
                                                SHA-512:54FBB02F7537692784FC461ACDA2DA8AA831294838FEF5602FF5E401F09B8084D369B06045F3EF187391AFCE8BF346C9896B3565EE8337CE21C0AE6B7B72118F
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 5EBE37A26E72B0F566EC598D610DCFE028EE1EB18ABB8C63C81F551428447E1532D3A2FCD533D167A4DDEFA36CFB533FFD5CED53DFB89B32AA88E8A01BC457CD4F61C6E244BD5D51C7BF57AE7A315233E964B13BA190EF80921BEE462AE7869D2B8D8CAA1EE5AF2F39D3A784C9C563FF584079871EFEFC0AE1C55D838BD374336CE900F9CD97CC0DDFB67275243AD6AED9BA0689F5133CA5A1287FF023CD28D8B1C2DD8B3E182BF99919ACBB110E139A623295E3FCE01B4F7EDA0E677AB0CA947C55F532247ADC2EB92F59BF13479D296E350A239F98063B833D0D1F5CC4D913AFD81D127D4F31ACA64B4B38619460124ABAB4E311F847EEBBB4E4D3FBC07C241B1E668208AB6D9B2C18C259A025BAB1923D4B242AA293245E0BEEF1188418534E05B6D33012617C2C28BD0C54CDD2E0213F47AFE512DEF40421419C825C1409D276453ACFB60BEC24835BA0BD70B03A0DE4BB7F0086054EEB4B2C2B4A6CA30217645DDFBCB8BC1CD5E572340B80F24B1A9D98CCA5EBF7EA6B68029DA41392209F9C187965521ABF77EC71F3757AD01F292EE49D664C06C6D15701F5A31E010CB13E0C4A7A637F5A6A680A43600404E8BC796B59A7B80C1FF843923E56E40DD80F311648F625B3997BF69FA582F2B42BAADD3CE8BB70CF102243BF093B4C2A0BDDE2748820FB20045E67A5244022D4B37D74AF7E
                                                C:\Users\user\AppData\Local\Temp\33911166\eiad.jpg
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):633
                                                Entropy (8bit):5.431173825499616
                                                Encrypted:false
                                                SSDEEP:12:xCdMhs1pRVwhU12wSxdRS6Toei5iaUc22s2dHVT4GvoH+EVl:QGaDVP12wQdRS6TAQ2s2Ee8l
                                                MD5:E8D22557BB5F6603C532C98865CCD5A9
                                                SHA1:636DC732C27BBDB8B629F8BCBB57274F7BDB63B0
                                                SHA-256:5F494B2BA3C5700F128E56495D533105A8D371F443C7CB45BCEFB90AA927C3C2
                                                SHA-512:0329FDCD8373367637370A36A3A6A50E1B2409CD48F1FBB2CECCB9A217FAD0B3AD92B0863B857E53956ABBB295D9B33B353F123228E91501EF89E7DE34A0D2A3
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 832b8X228176..7U04w6oX6O4FI9g8a3S8q27Y69r645i7vz9Z1466HNZYyg11B76F5IpXEL86R6V655n9993dVM6d2TY2pO9Qg94sRF0857Z2355QB6IV726l91638q54698gz8SJpXX14n3A533P4..Exkd1dV37Lz3s8IYnk2p8P99415NG19Ac85Q99JW260Kctm476VQ664s7eG456WhHAU96901713896rs7Uq25p50mE47K5Zu4aYo395Llo4..q4ae26R35s8wT1bqa5600I33zL2fQK2K9MJeB495G71y1MCV76qc064y3w7ByO8m3jz7q86Yu90RKB324X7T61..5X5a3Q9R9jk44n812AC50ETe8ZqWg4Z96IzT1T5ml86n5A6BJRlbThjYh5V49Opp2e8Ewi65865F5Z5ZDFW..6m25986k81127009u8S6iB5IO7cuF9y6SL977578c..dPo9U66342O44G38A9Uv07iXgX02I067P2B1x13E2Ng624671r97heI6rO3725a01v9ir77p21Y9UzW371gJ04zjn4nS1zp3D73B28lw2k30136Gf7lz97935556651d4b9OO048xp5IiX0b75pTSZGzp..
                                                C:\Users\user\AppData\Local\Temp\33911166\fagbcbo.ico
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):533
                                                Entropy (8bit):5.432805479294794
                                                Encrypted:false
                                                SSDEEP:12:ubljeOfOYdnKCZLVoIzlbV6wwVFT0jC7MqVY3zdZAff82jVMXUDn:ubEcTgwwVV0mMqVSsE2jIUD
                                                MD5:55CD69436FA392FC74563FEA94C0D9CC
                                                SHA1:A393C02EA3EE453274CF25F96404236A3255EA1C
                                                SHA-256:D9535DE1EA8CA1E086C374620D483E5B1253C2589B62D80480FAC4A2129BAD38
                                                SHA-512:A79E93E2681062A18B64903EF2DF82FE7B4C3B213851B5EEBB21F328DA59A96327EF41AD1C5EEC61B77FC11765895E11A35810C4EB9DC765FB16E71050A7D0D8
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: tZA8aNPQfB91vxsm3Y89E2wN9779f9e86j1tC7594YH9d9ZUVn1Yc2SzK429Nl9n552TpVo9385Wa90BC6b76R777RiNBgE8Pe4b96n23943c12B1E0271mxB3pykET8d4691563433DhI9oxb0aH2HrnFH8vz..81652031E1o3h8Ww675x9HH476B7w73791242ix9252r2501d070vjM49h141t0ls8uAa8x589bpLg1662wg9KY95Q..U829BoP4y3KfNkCT3f8500570646Y..8aT188E1Jkpefq0x552o336gA1793icj25LXg730Ue2Qk3UMzkMNp2vfS23..i2bv2Kj3FMib610C36sqy3100r17x9eX7L32fm0q60..6Kt15zm0xz1f83v..Q9o20667e8Ug0226..0934L8f9MG8878w95Ax3mgU0mqlv806508Z52136S5c6K91Z2Oe9196Y48M24kbEXCwdmoii7W945970n1HDEx3RQv9YU621kekbX052A4Y3..
                                                C:\Users\user\AppData\Local\Temp\33911166\ftsqid.ppt
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):604
                                                Entropy (8bit):5.465100475991333
                                                Encrypted:false
                                                SSDEEP:12:WnTt5dLVroBrW6drqhDr/yim81cmmzIpr4UCQ5mVqcepIm1XYr:WnpBd6hSDzytDm5r4UCZVqcepImFYr
                                                MD5:EF740CD570DD4766D6AE0A4C462E4C86
                                                SHA1:6EBEA042B020CA9E4A76ED1B7D528BA426A62A27
                                                SHA-256:23AB3D6E1C7366171C810C8C303836BD953705E37766DC3673C8D1ADA9C60BF0
                                                SHA-512:193E507762A514EC4F73F294B700554FB5907A59189A87B65192E91CD7B83FFB0AB8360D7A38AA48CD011C6499D69F5BCCD0D60DF88F68A919A869F4085A5A58
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: RG02V1mzXb750616Y34H10n31fK3jl48q96fQ3vF3k77O6912vK2IG708B11ZK1j1Ga170JJ3J8o8d1T1SeL97Io8V98IfXUzbw..2xEY3Y6r9Aw4X4U5wZPUJL7g5844f0fR9T634821j4hr30qQ89Q9qd9f9o5nec52u24f3u84f9231CEnaf216iJ5i0C8h4j..JKot24ptaj53Nt1aevWB82dv6J1t01lPu302K80c888Y91pY0y1yX667W33003a20Y3358o4B9Q604F406x7ALP379x03ynQ999s299453h77..6m915ESJ8XI1itAop81I9FsX7fN4S5nU1J1488Mtn95e749Uh6bBK4E9442JAy0k6e1C5x6Q375A4n0lWtUodTm0S6c1420h..399W9JZTj8R7ls8F0176pn0vWP51A46k91v..Up85a1V99g6rh14p0Q607Q3s493YCGTl8e353292e8s1Y9288Emu42255w5QkVDw8J32913zt3TAW49xyT6Za388k6bWm06Ixd4gXJ8D2dx987B13u29O6j2p50n0m43818r5Ri0M75D07NSG40Jswo0bOU421..
                                                C:\Users\user\AppData\Local\Temp\33911166\ftwkmrtqp.docx
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):548
                                                Entropy (8bit):5.465064929486492
                                                Encrypted:false
                                                SSDEEP:12:ozjMCyFovbegtECerBNk0iKpKdnyHLqfFC1zllBoGoxn:qvAovbeCE/sHKcdnyHLqfKtoGQ
                                                MD5:51C93DF30373E2B4808CCD94060AF817
                                                SHA1:CCD9097DE3DC6CF69DF311CD7BC266DC9232A702
                                                SHA-256:6BD27A359F02E248CDB45E6E150119ADD745AA028BE3009DB71578859BD7E149
                                                SHA-512:7F22F1C8494E0760837D0B110E75589020C0EE2E71C437D96EE736DF8A3C9B7FE9F809C199C63AB5E39BB66A1B129BABCB4C75C73645D3DFA9690FD13F6CF2B8
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: nZy8E5N0030atBonTW762vOpE4p07kq2o1863r5v75h47I1iDR35Ij43jU83Zb9770d..m8713o8GWP4Od7fn6tf140388h6Fkvm5s5nglkH8Pt9Z90Ro18sY5LNY20ttXlr94vX9158Fhg85jvFy0c9075hxrWij6Ur8h8ibu2..09ZU35977zlT99iTsA03W8Y03IHFUbWz52J945O2s5j1n7a8l47y1417..39e754h6Xp7v13U6al6z362R9pmI173w2b23W2yAb33pI93h641G3b9do..n6fU7x96i731y3353N7TY49X7506NQ5uzN4Sf5Y263RxCM0iGF4PI8FL30J8WK15x0Smbc86..oR056n4l6pe6Z3m597965e8724rRH3XHuiBr82c5D679j82G08fab4i8AMl6si79af7rm1a48RtG0sr6P..ki229D6V85IQV3C754RB5Xw97P48pq5p9b0tp6385K0378O7G36n8L9I537F49Hl6L4GG1027k2980r93RE26u2Nc379y99io73..
                                                C:\Users\user\AppData\Local\Temp\33911166\gbjrbcio.ppt
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):505
                                                Entropy (8bit):5.473101669206148
                                                Encrypted:false
                                                SSDEEP:12:1sYFONrX7jOPqZgmQhhzc6ORhfdTj5E0PKrqqBGN0y:1LMNrngT3MR5d6SwfBGGy
                                                MD5:FD088B0DD1DA3EC4F335AE136030DB08
                                                SHA1:A068795B4A6315E8EC6FBEDF6506BBB2AB007541
                                                SHA-256:BCA36CB79511273DFA8BBBF029D6E94DAEAEEBE46F6571881AAA1352CC8F6FA5
                                                SHA-512:4E097D2FCF97DFFD6A1316BA52E908C804E7AC7A20D3923765A685EDE3DF570C53ABD74716606027816A055D9C1DC86039A90C04B8217DDB72FEDCBFE79B8D43
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 6Bsa2cWvatCb003J18tmyKa51dz956MARg54iy6cH0O75W31i6b5R7Mj2p7F91klcgIpVb538z43..4u2K025LV2S9I0g682orjcF3q490p849762IZHAm4U20OoPvv3k04B0fcbq02LbvJxK..k3E3Z5j2BAi823z8qyyL0Y7WJI1H65B98TPny45w17q7P1oCU1DZ0F31k3Z0RC1K18ddK53M61LG4l5T78Tl611y..34h78qE6..r41X587iJ73s98292b1m032x2Y17b3VqeS8148hRxx4GaeG35R80972h91y1R3845i62A0D086i6uZ445063485521o1F3f733764t9O5..n063058SlxPoT76n83659245c6g0XCsAN75U03lq3e9VOk3Uky56880Y03MxX1s31lA9K1MUI610T7qD1Fy472m2GFFP70mS53mzG1wU449758n5Y2m98s03I195kuYM03f7thNA4155GJv25W0HV..
                                                C:\Users\user\AppData\Local\Temp\33911166\gdljljtq.cpl
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):48980
                                                Entropy (8bit):5.5709636707326045
                                                Encrypted:false
                                                SSDEEP:768:mPmqXrVN5vK2fOoiIGRVHrzTBmqFTv+lIJT7FiyU/4AM0tRQWMJGggQCDavT+VIJ:zgr75v9OoihRVHBzFT+6lha410tRQWMj
                                                MD5:A7A133BCD7D03BBF6ADDC1658BF20DAC
                                                SHA1:0A3A664884BA14B7738368307AF1E498069D5348
                                                SHA-256:AB5E48986B6BA499E11720D12E42BCAA8C6D712E59CCD29369F7425BD1D4A678
                                                SHA-512:C205518FB94D1BC33E729E3790355FBAEDDD8073966EA44F906C1321FAD325B73108AE1575A09EFC4E1FFDE4DC4485DD53373C8219AA2C820E30B28C5602574E
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: Tv27Gs7spk08qJf6b7S5A85819gU4XRjX9636D4d1UP0Y4..y07Fz8fW73Ro263j65KPyxu1T4D6xl2qD4Ej7j0A256975ZLr9R49RHAp4OHknl7E4E97Y..b0h5244kqkAyX3I35c0828H2T4n1650eN0uiR55Vf10054I72wa46nzV..49122C082ha0j153NApk76tRCj316bm6Sr6Q5r30n6a51779303N940727809e6o13g032..6SN9Os624t9Z0K0Y29962H746p1j0lmR7e3IQhHSQ200d899o2xq9C8Tf6co58hbVL60U..o3K9p744580l5XPq4qsYd5838Vmn533F8Xt1353A42567B97..066247607DOM7M35U09E9b73P8..89bFNiZzCJX1z024mVpFaqx55pt0212e5ArQ..7Eg3P9hL18x0c821771f5wyl26n89V4217a22j2ie9409PO74530..3gmcIjb460HarNC98Z81pkY0h53mk50rKwA..8948mn846gbN569h01NcFP49390fH0Es0S3Y..Mo8e96z0jd7W8j4L9sL9Vi42r2i8bQnaK39Rr4gL0264mn..ywdrxEmE62C0qDy9emAz5b3Ce66wT71bvu8fcj9Fy..521g7ofCmqn1K4Q8395VssQk9GbTX626T0l72..KA825v89U1y68082o12674kK0P96750D1QG6872QBo563619151q7CPj1ZoomNlj772Y..P7s93148a69aD1Y2K5584208lJ35154KI3eb193c6P9ffMRD0I88ETyp5i988JoW4406496724M236..g5151C2BiR3eZ37s24H67Y15p0512R50K4CFqh9g2u1EBw17nD3..w579791159fERlVd927t9p36cx47gI075Dd7F5NR4aPDL2H..YjQ3T4y5Lg12t2m6zF5g0OZC701F1mE1X7..349QKz78YW1201pz
                                                C:\Users\user\AppData\Local\Temp\33911166\grwmscle.bmp
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):551
                                                Entropy (8bit):5.464613608461425
                                                Encrypted:false
                                                SSDEEP:12:j3IvpXmJgFeoon+sroHuQ6xc8Y4YXHXja4R/b+t/w3ENsVQHQ:m58gFejnFAf6Nq3DRQw3Aw
                                                MD5:FAEC8B3E9041BBBAE67F552C91764776
                                                SHA1:0EF8E9676EEAB9716AD08EE6BF75BB727B8A6E43
                                                SHA-256:0D36C32258EDB46B3B9325B207126B530D3D4073060CB32B08E5FB9FBE924591
                                                SHA-512:E46F365FD17FB91CBB0FD3D105D521C9F4BF33FA825FF85F5E2CC52EBA7C88B607B2DD673C1C4571B893FD97848491646C0D137390AE31EF5214BCADEB5E681A
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 4z2a09BY47L29726tMLce330wZBFweJdEogFT885Ow8r2Uh565414J5J8c708H2H1NwW6PO1Frf9UUvYHi3728R2JAz4LO7Iv208Sx5N1..O6Kz68244K9L98H88FkmWN339tK0O63U200324GZmlD0d79Yn19XQ6C0n8GrV6zV967ZRi4..1hPzt8R5nW6vAV50jS546z1R8573345sC9dXqjyIgz0V2WnJ6J2C2K505YGEn9L54XRR475Chz3..9ua5970p1KG702q19433V75tpI909937v12UA8857S9YlfCX3803k89W72060dn91438SS06c8fDlRD2Z0hG3H0Q899G8NzQf381K14hx7F352l8234..JD7054F51qtsJE6nf813hI4g98NKf77Ak346G25612wKqGf7TshsJp2Y0437197R54Cy85AjJovAY84u799gU5EI49N88K047..J6SozV3EMo10D414GUK482HnnzbA0k5F59L60nFo9uA096VQd05vu43GiNKf27D94054v4S960X6..
                                                C:\Users\user\AppData\Local\Temp\33911166\ihkq.pdf
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):572
                                                Entropy (8bit):5.553967984733832
                                                Encrypted:false
                                                SSDEEP:12:XcwyUNHr6XC2sobJkpf8UvqyT1cr5E4VkDQyIgTdHQI2v5F1hZHtmsT8BBhiK:6c6XisOQa/DQpgTh0pT8B/iK
                                                MD5:14632FC015393D244C193C33C1C3DBCA
                                                SHA1:C084DF5AF865D0548C73CFE942208EA09A541521
                                                SHA-256:F73ECBCAC7B42C2A2CDEF1F102026D210708C24964401C286C876F13BA43F17B
                                                SHA-512:42855F0573F76358FEC1341CCA2A35B02AFB2A00E770FCD85A791B344730278003A4D749B89D9596000D9820CD78D1EED9026ACF75202AEA51576492DBE62309
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ayx9365n0t50aQrGTunz155N5X7g5tyV8390I41W3MiQS6h3M5P1ZG3315C7821Gz6nu4899m2ltW4z2U7J810V1qDo6C5SaG..1F9LS525n66r809nw3KyTt0257cew11AJFkjV3L39M5RR0iBhxnFI70z75d2f05p4eem0J7W3742a83hR8d72GJ9VIdh9l1243dG4160x335tLiuHj728JL5X0270j181bK2ZB21gq3W175Q..O04wDJ3871v539cj5O762qusnRf2pn9f45i9aa7N63342jsh6CZ307K205I7XSy9087Y1E17RVYGll926C2rc22009N..rIgL6WOUC06wd0DVj9Poqm5gZ8r085G1P50065sUi4chBMx89j64vfB15B4LE8Xyf3a0xoav12ujF1HFB8lqNR1dHa94m1n7Px15B9..u9L4v2cUO77930Ikt612W7LFU6qkk4J5S90Ca701803uD3u42H3aO01EMK398Jbn6BYlV3qpzz882Y60f54893jpb1t9fL39id9c7S4Y2h2ZeQ18otELaGl2LW5ag932..
                                                C:\Users\user\AppData\Local\Temp\33911166\ivexkhsw.bin
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):539
                                                Entropy (8bit):5.492587055677928
                                                Encrypted:false
                                                SSDEEP:12:wBPVejJwZVUX1V69pJ/LA1w15dcubSTQiu4nsorWETTJMBcUAUzrD:TGUXyn/U1w15BSMi7WtxzrD
                                                MD5:FE7B76FE43B0D48EC09E649D3791669C
                                                SHA1:9F16FE9CC7FB6D11409083D6D84586951DB9F44F
                                                SHA-256:5BBCB104598FD0CF02D426D6385613E8CCE500A253DA17C0FB06425306960C03
                                                SHA-512:F5B32D62FD836A0BFA71FE5594EF77064B354BEA2DD97AFEBD7D014A98DE495776521A55BBCF094358173FE498DB42DC166FDCC0D9DDC432A95EA33C2F7C774A
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: rHwJe4es52vvbII8Ox6PTt4690JBsdvr22r69c6845n19UX274O3t8085C6hn2qN7q40c555qx69kx1gn8Zy6WWV0eO1545sVFip580U2phqjXAG4845ag778biTL..127CQWv46..75U2B1G6093mw9zO3r0GZ04m8uU02USb356w16XJZdg1sFX3l512H302VWI801cJ38236Uns529097AE09176wOV0l55vuo67093G7z3Bwu317WE0Q6t9r2G35r7q75y0WE7Gm304dx4R8d944vb2Om0mW..79ke47J7t2geN2tN0U289k9yA3qE74F184J8FG67667mL9714Fb1wL21UZfQ503Z33b762q2F03DJpKSPGK8GdmwRks2jf2J4u0n0076Ek4H0..h5Z0lti829m218hdE916i75J6yJmY1..D7k3tD7J93V471ufaD5TfRCoE8z6395890o585yFU9091L5VX4i08J0mCj75iJckM2D83Z30R50zD4e1cB0t3451A7o124r2h3QC..
                                                C:\Users\user\AppData\Local\Temp\33911166\jowmpf.dat
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):596
                                                Entropy (8bit):5.497302797959579
                                                Encrypted:false
                                                SSDEEP:12:ClrnQwJ1Rt8oVHUOSReHJVALg+UOGRRROVt65kXSv:C1Q8b/rJVALYRW65kXSv
                                                MD5:07F615871C99E860DF4A51C2608589AD
                                                SHA1:E7D9977357F4B148E0C9F9DDDC25A11C3A2A3B0C
                                                SHA-256:9A6657FD3B23DBF7AAC5FCF306E0E9B18EA81496C1C8127EB31EFB6956F3B879
                                                SHA-512:567239D4584DF19688EF88D950A250D385D96A0BA9C90A9C2696DE5CE7AC5E081C74F7CB5F935D6A988921E8CC4EF88B90ECA5FEFF827293497FE8E8CB0DE517
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 3ogO2OkJeC71EF32653e2p8U7NkVL75G3z5q1637941w1hDKh538w4rIk3w9DF2N1807Om5yYG7sjI687hAm6l1..73N0082xA6T31630722te0219502f1HT14RHs4N58d6F393e8B1IENChi9DGr38C79822p89hhnkGl8Rt1O45W6A..2290704s63sSShbS2krbXeyeNCD69aL090R9Zu726pv6E06t402Y092XP8t830CGJN91ufl70Z24W028B47sfZro05OLD35620c5m3b8E3mwV8c8y18ZiUKhX6gy445LppJe8w10853O63Ezh41De01ut61IIuh0p76GgS6288116r15GJ9Wj9O3b23H7vc1XR..ALl0435bb7O1krZ7Fl53gx8k9n..302EM8xnTIwOX1mZkPU1r18V61pBZ782yUYSMF8R1G1Rk07579Dvvr6Wo90La2Jy0977P447K223..T4K9714M3Q0wEJQ5f2900u7pA9Xor6028A229HQi90DBh1nT8B0d4BBd4s12700ZPVA2wpJ6662Yt39ZHSu6A3Y890Y0Q7h47l964R3450K53WHJ1..
                                                C:\Users\user\AppData\Local\Temp\33911166\liqucucmm.xl
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):528
                                                Entropy (8bit):5.445249383001988
                                                Encrypted:false
                                                SSDEEP:12:6XEvkolllAArNGiGizpRKSXX0otCzEG+IZTcZQStN7bfLbLyJD:30cGi/Ke/tnGnZQZHbf/Lyx
                                                MD5:DDDC12E603249AE7413C0F1152E415BE
                                                SHA1:20D6ED41E340B890CA845A1800E0FEA6310B5371
                                                SHA-256:B4AF5EB959E3823BA63CFF92CA7A3A480FA8EFF6FEC25611F9D2448C8EB975D1
                                                SHA-512:35DE0D18909A298D8BAF56EB3F2E4236223B2FA723C476042F264CB97A97775E5EF4CA61D23BE3AC5A4335F14733E54F58E89C58EAB86E2A2477CF430DF2343B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: jr7RN26AtoFG2L..2Xv7061C8jX5l7674Q29ss466I324Vq2DeN8k4zcuH13A0Web25P..9z0bH0AO96220SH..421192pb74yN9Edbe7DnY05V061CY68lj9jcX0XGJws0I2Bz3895597j863P042e1XZs2E10b509d267N7BiT7R7cMz9eP1k6XFz973s6002yg37xzUANQ5091Jn3lK4pQa82573punMwh1dTJ8B07ax9Ch4..uOp9zL7npd744PW8g480919051BL4tM6l654RP463M2i26oL5WlV9Vfb..A299449512883Ufcm3w928r6U65823Dn6FIt69s93O47800r2d17CPf5d064F6..1763G2HzG68G5CJoc88i68L9g0498301ZP46zY4V27jX26bi5jGj87c039zk7yscQ2f5i3u6Ym4p9p984VQ2988469y8eF91O03S94j18E41ViFKlYLl974hj61U9R4C4g7P8a1dbygBemQ598zcB9id9E58n72..
                                                C:\Users\user\AppData\Local\Temp\33911166\lpekjev.dat
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):632
                                                Entropy (8bit):5.505372170374117
                                                Encrypted:false
                                                SSDEEP:12:eOvlHskQ7KZEYf0pjlFhWzg+YNAJAXVr/ToZlzcCVu5UvvVFVDUj0:FUKZEYf0ezR5JErbWlXVEU5K0
                                                MD5:90F85E9DAA7BB4A1A1D029FD3D8F2CCF
                                                SHA1:A30E08BDC0506CFEC1CDAC32B9534A7F9920EA23
                                                SHA-256:5E56F31FBC40A67E7AFBA14117BD6DDF69D3656360D980DE7033997A8D0265B8
                                                SHA-512:2F801C5F8EF9EB7641123AA11644A0654C8DEC8ADDFBB560341624E3D5749E40BBB67F4EFFD44EB9CE1C460EDAA8BBC4CA1E77996EE1FA627067B7710E608897
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 33442C7S7ADR8fS..oH5739s158CG23wtTL2909M323VF81Gr2mK1oE6XE6VpB68Ly95vr1xIDt8f8VBbY7F7b5wQepDCA548T62ovs19z2Cl041X60iuo5r9NOTXD69TC66Bz00jc3ciZ022ki19p083736fm991U81ckzI296181..bc00C0ppox5NnO963xd7Ee2Y05e80O67Khf5PDCgIS24Fp7932wg48i054Z0A5Jh19h0tfv6i28K3ZH12707Hi61p38g4Av36R..6D8KRy1F19I47X7Ou09ZeRqbXIMeXrRSA16Ra9684P3B..20Co8s992v2O1ItqR..5324h1i6k654nDGSJ26v9u251q1624Z170990S15m0XB3j15wnv6z86UTx595I0z577AS4iFE15U09788HS2ALim6mU8Fp02A76CaQeR4M9kS5kl89X22114a1gC3GHjr74KSq8V18ESH0D45..9k93LQEu4Ru9SxDJ06cPpn984863356F2LmlOUj6F7Xli9l63009C718Y7857nL4iR081IueGOlW4Sb83q9up078qN88ki5R7h16T2j9q11R48F498H331q8S4VIWO669rU7Dw1s74Ax3a..
                                                C:\Users\user\AppData\Local\Temp\33911166\lsgredal.xml
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):540
                                                Entropy (8bit):5.532441952803367
                                                Encrypted:false
                                                SSDEEP:12:8P1N0fS4L87XKay9/O8/GKi7c/ozQrCqBj61hwcS3ydrDJcSBn:8z/e6aay92NKCcAMGGj6zSiPc0n
                                                MD5:D471202643E357DA5B108B128DC7B903
                                                SHA1:694485C499C670F4ACBAE82D2B5776EFA1C4E6B3
                                                SHA-256:C38FC9C91DA774E70034CD82E83BA1A5A732019EBF20CA43B587C91EF343D131
                                                SHA-512:508D3725A9E71ADDFB2528181FD3AF02267FA1092FDB0B61C3F0FAA401BCDD29BDCB3180016D30F2089A9C4338F22899AC2479443FC46DEDF97A9A5724EDF264
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: s9344l2XB53256cYxS459V6qyAeT72xCC1JdQF1444S7H77445yb5IJ3Gs256K2GmVw410VF2TTsL73Dt6kmVKAR08U0..738D2m617sRU7kv8FO1CMZ843iA0mtW00EAPS9YQtn29ccO0Jl584H006p5GOs071DYN1WwuD0..083RUDU2Mmc7B0733UIlHW1Kj55To6NSa1Fi622ri4nL3ThdQmsuN5789sD06f05et0g5..448u6221M7anl4675T7q7s2BBMY9a7r22M73fE6GwoRMu9q4b28467gCTWpH39Mb6o086nk1Eiv0D5c17398FW00ls38WP79O7w04i753XY8V40gUGr41vDCu82134g8..3r16410AYIvwkB25qJ2EP29Cf8y52071048z85M41lq2ey92Z1JCv5SBT1S7EIV2PBG9J0s9CU702Yo0oZU696297RlHM211u6InG03561izH5j117676NLAM9rlnC1508183380xDFbn6L88CQiOJ4I7e888953Gr5y2oK..
                                                C:\Users\user\AppData\Local\Temp\33911166\mfnquskjg.xls
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):519
                                                Entropy (8bit):5.573296492791862
                                                Encrypted:false
                                                SSDEEP:12:0SpP2kZZfmh0PeipDdZ3a4QER9Y4KGdeBJC:0S52kvmym89KGIrC
                                                MD5:A9983318B76F9C053B2F9EC83D35E9C7
                                                SHA1:63CC776DD26B2DDE4352B729FB1B5E8F5F851E6E
                                                SHA-256:2249D2D3DC78D28FFF96998C83AA1EC9E9E8D30163984DC4924AAB8179FB4AB4
                                                SHA-512:30CE1F0AF2B1E825CBE440665F26E4D9A9A0FDA227F3D41F6AC79403F5FB400B95491C3A8A0E0DEB4D64B22C7139D86DC1ADEFEBAE0C5E53815C645E50B2BDBC
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 08wHb274y73Si12t574700fn75e4nW..XvY79U19Qcw906BQ4SaU7DgtjD07yP54w99P091j4J1Ea5RxHA0e1590885y9FZ5N18VvPqe30Q60fycD4g6GtTpcH0A71iC8eNA9w25q95Yuff3I10Q14QeQZfDv26u7p03Og5M9Rj17dyvjK15hN1rPh94p8..ETXI4M0C5dd61e05QZz7uC0FU42257jJ6I369EVR19ZdW9MJ0U8koi7Tv57Qlbj465JA219a9E6Wt1..T0B01S0twl9B921558NrqTIzWLi57X70T7UZC38ifY9mak98q7u3H59fJXKf5cm56RuVXmY76Zx6262q6bnX..zebXm71N88l3x79zm3764zp263u8c97lzXc2v2s8Wx3kd..9w9378n0m61J0hVV3p8tJJ4336da8301fri16bI02u2G7260O3CTCfer0j949q1q38jhe58aJ0p5612f8szuWU7G1eY4O92Wb359Rcj644zL71ry..
                                                C:\Users\user\AppData\Local\Temp\33911166\mvbphn.mp3
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):523
                                                Entropy (8bit):5.4783974308238825
                                                Encrypted:false
                                                SSDEEP:12:GrFt507gzMYcwErFBB3xZfSL7Ic/788ZBozOH2oM8Lc:Gx07gzM3xrXZrfSLccj8yalf
                                                MD5:8C9C4D223F47A96416446C0A49F595FF
                                                SHA1:558BE3F0C1FE5F8FD1FD2DEF9D56BEE3358A65F4
                                                SHA-256:8DA7F767634CE2F72AB495047B2BAE14FBB33389EEC28E41CE9B1434D0E29DC6
                                                SHA-512:C03BEEDE1E688FCCA260BCD13972D595344C86A1389C3AF0E621C3518A7AD2721B7DE366BE96B89FDE37727FD63018196EFE9233D266FBEBD59861E432C4FBDD
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 418J046ZUYreU03PhN6q7k12580Of34347xfvL8y633K8n4K962da96L9Z4E78AZ4rwfRX3s2IpR6i1LzPW24A2Hfot71344aaRW1m3r08eiVLf1V4..m0HH4l726i3m3T0and082B8C480i21wXKs45k8q8K0HwW2Oy07a9UNa1D006727eO49J993qN38o1C30fOsa80flk766Y1o8P6GhQb9R07si02n9J8a1De5296975A8589U21VAPAZH..qZK9GA9H53b9pPJ8..3h21zrQ55TJw1X6469a5qqC4Jjf5L4Kk7..65179t5p2757..f0QK52TUpmvLZuiU2i6uW53v7Stkg68dR2TZ3FL79l096Dp07O3rCc7Lbz3et89q820N1QW558b955D24fo09887..wV6tKG7o7355224N329URh6e7II953KaVHm5FR7em2Po53276p92Sb86LcF06n19U738i7J11H19M1Zai6bW4EKT9LmRET7N4m1K143r0DH..
                                                C:\Users\user\AppData\Local\Temp\33911166\oexk.ini
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):569
                                                Entropy (8bit):5.4773736308617655
                                                Encrypted:false
                                                SSDEEP:12:mnnWdM3QMAou+SykUqgUH8uHYqW0bIVn9VBuAdc/7s2XumakoT1:mW23XAd5c56O8IVn9V8Adc/Iwux
                                                MD5:35C3A3E406066C083E25DEFE8E4A921E
                                                SHA1:9C2526B9706866CE1B75924F3AA967C1C8E20500
                                                SHA-256:C069BAE783EC8AD4D582B2C160D28ECDEFBDD3654488A8C2129EBCD3FC2B9B34
                                                SHA-512:7A6C3C9075C7AC4FA4FEF98C537907779FF5DB0A3CACF0F0AC6129A7CAE25E76D0F45E82CED5C4626CCFB7FACCFCD63E7986314657986097A45BAAD21267A623
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: Cz1Jj404UpG2w6NbQZ9r8FaTd1CyW5B2973e49782gDe20u7vIa81o060..SUBV46isaByWyVvL8..738QOtKC7Ky6l590KUA4WQ01gyX7GMZp6J56CDae52y6c0D7Lulo105v67M2qd0844c64H996388jaR056Bl231530hxHb8..J832H58Tle1QT819R05yE5JP1n350K3545a5U0957v423j0Z63365nQ8746764E5241Z8G3u6M9ykdTT68xT81i67d396Ik29q57o9Q7XL50J1O8t2VjIf2pU1Sv23KV..05n1rFsm396p13675iWF7V7MM5cPA7pSGZ0J31bz921O235M0TcfYb1z5C4Ld61Pq94163M8z009DB8dm8LYp519mX6ST..8cIr209s469v8bJ77G70D66yx0745xmFCQR7f631O3L45Gh36K0k550z9341f9s425..85dW04394Q60R0J5EM8g4X774yf56u413122abSGe4Kf3Dq5td2x7zUvlY7480L0pG24o56Jn9fiA5R62V6U2n7GYX05k8vvh7x..
                                                C:\Users\user\AppData\Local\Temp\33911166\qtthsrfrd.ppt
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):589
                                                Entropy (8bit):5.494103483866326
                                                Encrypted:false
                                                SSDEEP:12:E1h2WziB70vlEW2+ADg4Jo1FATJtdlJmN4Jbgw6XB7oiy:E13zW09Ex+io1YWnXpoiy
                                                MD5:ADF668485BE537AE0D6D5C0BD66705FF
                                                SHA1:5BE524D0D0E1B7FC42280224CAC2EE68EE0B49C8
                                                SHA-256:E1429751B756E17CFF90303EABD84985A6DE8264821901E78734BBCDE1D7ADB1
                                                SHA-512:631714903D57F3869D34F05C023685CEE8B4D0B505674A71CD268DBFBAD2F2FEC66D6137675AFB287A83E04636A738012359BCC9C96B98EE3224FEDD72F570B3
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 18Sj5m3R0239xlyPuv691Q0n94lky7s4H80CgCf59WSU3pAv82Dh4PG03yx4e17r195h8464TlI7F828Xrx6648d975SEM197rW8E8M1mjt71A28811yJm95RF714X71p53T..nRge88545JHK72E1UxGVl61Ju8je2kD3gj7F..zsQ7h7J249743011Nv1LZdm89XhTSX9U97L20l..706j4Cy83fkKG81d8zL9q3ew8x319J3nkN5VKm5e53Zf63362eoho7717L034Lq0db0cKjt392..11Hk269oBVCoTqK1q9TJ4jmh78OBsY9187pDXKWW34M7409640W85Ek2A9e0I11U4P6146A89ErKo605i897K93nprmW1F6365ZHq6f27jN6e19922pJMu66f5F6nD07m4a270hz1O18579m9V9326wjjjuW317x3bN..4S8OC1F6z3S73Lsa7h3U90Mu540t0Q425nkfLzzJF718jM68du65T4540t6xk41U9e41n147JVIPj9l62Zcaqq9T9SG7n3D6iaJ9pUl951R2258B1V0TuTJn215fe6OUGuIp87..
                                                C:\Users\user\AppData\Local\Temp\33911166\qxhdhpfdj.log
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):525
                                                Entropy (8bit):5.380432007459812
                                                Encrypted:false
                                                SSDEEP:12:gTD1TxGNYIJ7w/yszYThtywin1OTDDmaPv9ztd6SUzWU1O:gv1VoZJYUThMH1OTv5ztd5UzTI
                                                MD5:A91B92473AF61DC091981BFFF41A3A88
                                                SHA1:410EF9F87CAF3801C87D69637BB469FEF3C6A369
                                                SHA-256:38425C4F1F21ABEF2915051403B35003ED7274DC14B547FE84453F227510E1D2
                                                SHA-512:E0D08974FEE7065EF6DA299D6CE5BDE8119C625B79F1B92978D3A512221C5EBD76DDD5C3C36650EA3D49036ADBA08C6B2636F65750373C87747F1B94FD01284F
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: vxn7601M6s58rxU12527Kz472a4Cs6teWsbFTn25G41oJN02ey7wJ0L925fGFbZ96NPU1106oXBo86dS2k9175i788C9U2k254c672616nH2057o8j0..36P6291t7wla45Qg1pkOM9N6f76LwDa73h04unx620lWpbn7862179tT95SO95PS78q7Nf060628v8768k..GZ59S38w37V2v2BNmwI6P67176T3z90p1UONe0p8p8CPy7994fg561V7rO0851TnBYXf6033K1Vsv6Bm56GK..E66g9954vv5ac5fcM..158m41l38904961bA9OBZD8Um5GVnN0QM4Wy4932..Z731kA9D1Z08aqFk33t4x78t758X6S4j9wKU7ut5Rc9Ck17KqvX4K5Jp4v31KE90k281T1g1J4U944N2..54823l4waM1641K98y75K9595BD2xN393UL235LrfKG5m9UrI948U5qX334029D400bzGs314S82271v073c154k963z6..
                                                C:\Users\user\AppData\Local\Temp\33911166\rwnbbebwm.ini
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):550
                                                Entropy (8bit):5.450135505815625
                                                Encrypted:false
                                                SSDEEP:12:UWsdYUrk6GI6UzY9piQh9ncQz1LpeLULCLPhpZeYk/cgsQTHucy:bsdPkc6UzYesncQ1perPhpZe9sQTNy
                                                MD5:F8DC6E3E70B4432C180B7FA0B27B8E50
                                                SHA1:5075849AB1FAEBEBD28D3660034C5C45E65EFA8F
                                                SHA-256:E94A2F8E556B0195E242AB5D6E0ADE9872BD67857D150E7E4640CF2AD21669B8
                                                SHA-512:63A14DAF5728FB278E8A3AC05AE1F8DB2B11899B8347CF14D399D028E8BA1B4EBBC3901584925BF421F6E515E042DD6647384FE10D7E1EE823DBC3DBB68F69CB
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 922jUv2o489k8Y013231DY977D..0771r20wj26TL1c8g7J2e5yYoE79024cAh4366Vjc4T94huJw391m3Yo621107hZ1V09Ey2j3tJi568e5h317TJ6wG9Ht5cS3ff42W7q704KK6E5899F1j8471460z73pg44ticdOM3tne1hIz7..598w84e693L5G78SlIm3606178l35hfCb9A3h93rrd9qH7i4O93omE8F7S50V74Z9U2jV3uSJn9l8Sur24i7r1rV8L9A08Kd..Xt1S48e7x03s540o1NSW8f1dreU..y831zzFMH5RVvWGX36nm90594J8cQk6305CcA31Y3oi949dxl49l4h7l3G47f924Aq7..83111VG9fu5t49mI10H2c478qHy3dN9T6iwBBEr2g129L67i58gS5H063XzZZAXwRP70rUeMC0f273400J..78367R422G8O562a2p5526Z11Wf9lM1T5Ud34KSnl90I5rgiv4t674240v268p7692ryYcVn51n2SsM6JIYJtboZ527..
                                                C:\Users\user\AppData\Local\Temp\33911166\sbipvhb.docx
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):591
                                                Entropy (8bit):5.576834965418453
                                                Encrypted:false
                                                SSDEEP:12:SJxsCAM6SL26TpOuCEG20RHTtXGKsbNsdXD3ndFWE4gMc7G8WUqBhmX0l0:SJxdlLroEGjRXGEVZFH5k/BhK
                                                MD5:CCC74C070D273ABA95D7F8754706A255
                                                SHA1:171E25C7C895A8B583A8BEF713D077DE2419001A
                                                SHA-256:27DF235367CCC09F310E790A89511AB986A972722CD5F1BFC39D10019C7EBC74
                                                SHA-512:631C4DFF189499B858D927897869BD5C76DACD323A0E6C0F37C1E65038504972F3447DD6A52B3B0E3BB0A59EAEF05A7B2EDDBBBD9D0A098E9CC5854A9974C43B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 2748E82k63ayl53YX38l4545OT9s059X6h8bX7hv2Bm397q35m36bs7J390cQI65n3U7jC17c4HB4OIOc5wj0b..TV8LwMkW1K2D7IU69K9g573AKT4m99nGL9013r7740r4gRRGK24n0o9w4dCdl5H7fl7q4EY7cq058h3KpDX7ycp0a5z1Vp00zJ0S8u1e588jod37H3tb1689PY2tB6D2R833C77P84D402..03w9gmDY785159547ZXd67ptqNL4l56Z7x842ePU3EnmFgaa6Zc1ejT0py57Ma17ViTeC6lQ67ska01atbi65r5p3z1W69a569wku00h777g0IOht50b2WjWOh6HK73I01fc4e67oWh1KJw14P4UP8I5jo5ioFfEAD19..641SMD18M2S0i12V2EoR9W9..z186Ov121Cok9XhU3jFRZP4x8v221xhtZkJi7..Ue342i188p353998017612H504Bt9YlsQa57aj3A992Fvrv3O78p3R7rtE8YWs427dxn0q0Kl614gp6D4E4Vt2KsC97C7u283K24PNnFdMY1p00Y81AhVH2zp59pkc6..
                                                C:\Users\user\AppData\Local\Temp\33911166\sqbr.wlw
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):170560850
                                                Entropy (8bit):7.04008382283949
                                                Encrypted:false
                                                SSDEEP:196608:gdZxa4ul1+Nl/u+wy25wEPjq+L3gl8teH9pxCgiNZNgZIazbITenMzSvb4cJAka3:P
                                                MD5:A78521017EA74E5BE68BEAF3D0ADC368
                                                SHA1:1694584C416256DE6BFB0AB72C57675910F479B3
                                                SHA-256:17DCEB208F35A9966672EC161B2BA8D5A893DD51C204F2E62E291BE06F7595EC
                                                SHA-512:DA4C35668E82DF4E3BB4A8BEE982A809E495DBB375ECE7A330B08436F4B8ACC5E1508F31BD00C2434ADBDB4127D4B198111934CFBFD2423F1F9E796DDC06AD91
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: ..;.E.#...._.9@..E.O$e'.;4..N.pc....#.c.s..X...?#.Kk'.!.-.O3]...&.].M./Q..`E..b.hI. ..zh.w......F}....1%.>.........c.W....d.U)-.L.N.S......r...~rQt..o......L..8..1.....#......!.r.G..+...#2.=.`..Mh./...<.S..G.-..f....".v.X....F.g...P.q.=.`A.&k...3x7.Ek.A....`...V.v~......6.6.H.5.8.8.4.9.8.n.4.u.6.1.3.4.N.1.C.y.8.9.f.o.I.5.0.6.3.U.1.6.a.Y.2.5.5.n.D.4.z.z.Y.4.M.3.....7.5.X.a.9.D.8.l.8.0.....J.M.8.J.i.H.K.M.C.4.n.v.E.0.y.4.I.0.a.8.5.4.D.q.i.5.8.x.L.1.X.F.9.3.....O.b.g.1.o.o.v.7.9.9.1.7.q......1..X,5I ....Y.TL........M.w^.{.7K.=.....`i_..:..pd......w..._..D.D....6.e./K7...t....L..X..uV_...>s...M8u\.v.t58../d..o.c.~.A}o6..[...4.=bq...l.:%..X.>]..........`k.qy..p=.n..R...+\.8X..{&.-ai.#4./f.......)......c.5.8.X.w.H.4.3.C.0.9.g.2.4.5.7.0.n.4.7.Q.6.M.9.t.5.2.Z.2.7.0.r.7.6.6.y.1.Z.U.1.0.......D\.....Sz....5@..r.~........>>..\..O....{.RF..\6.S`.\.84.JM..S*.~.......p\..^Q...}.Q.C KzF.*.b...;.0....[.(.x...7JY9q....F..E 9.......l:...O...g..NO0?..a.'.u..y...K..t..k..*.xt1R
                                                C:\Users\user\AppData\Local\Temp\33911166\tvdjw.ppt
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):582
                                                Entropy (8bit):5.516494390661715
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:4D4F70BE0D08FD75119FE18C6F570095
                                                SHA1:654F9A02148D393B885A5803C2F3BB0146F2767F
                                                SHA-256:EB0B3CCE80BA0ACBA03CFBFE229AD3590F7F913CEB3F8378D5DCB93A427114DE
                                                SHA-512:6459017B3CB56B80CC43B82AAFF88292C05F9BE64B7376F4415CE98195F7C9F865BD8B9281963BE029AA524892E0D82082681C07B64FF3D64A9E25BDC352C7DD
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 5j49fLc19681366ouR45..8RY68801988Bz7e1ZrHp3Ex23aIVZ0R595wqSIhg3t71SrM4vn2miABgU35Q96c962N705z7a89b4g06Afom6wv15d21v188HE5q0L2knf4K35oUA4T69rS05om513IMN3Ex732S0rVFWUL2Y1189xU41..J284Z9E91..818Kd25e4zy98Rz0O47fa1P4rM5n0E31M4y28vo17ED7OcX12Q9resPDP7476M8705AfaD7kLo48zP6eo1FIw16m3nR1R49..n7t0Qyg75X9690jy3Jt..hr7646vZQTx..33y09l4nlA3r3SCKa4V048zNJ03Aoj7j86X37uw432spt422W2R214h49T88X6r25seOA49t036012m9431y..aT10t77B17F6v49vf5Z6396aCs5yXI67L..82Y17500C2Q9h4ZPGYnlgJ494Vj8i9ycwdx..n838TDIel2PEA97NECz8ff5yO6z31CT0VAMpp6z4126499O1W90Sof9lcyC1M00i73iAP829p523u8Q3949f2DBeFa45j1T95uO882p..
                                                C:\Users\user\AppData\Local\Temp\33911166\uetndqd.dat
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):543
                                                Entropy (8bit):5.575912124605288
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:6E7FF95EA98F7C0131B3CF7359F58AA4
                                                SHA1:78FF124AB67972F7ECC64B4BEF0B8F77B8E182FB
                                                SHA-256:6E5191C99610CA5611A7F7A68F45239BB4E22B904D96E2F2DB8D24112A540FBA
                                                SHA-512:B2312BD0C8F8C84FE21D4C6981856573CA5DB7C07989943D75020AE1211BFCEE6A1B5D7F1D74966D068BD442BB96BBED9B379747EAFAA8FEBC6E8CD28FE45214
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: veLkqnBL4Pj200kuJ4O2pV4228j54ju5UgkZ4N514JyW0RS54y53j81AkCf3OFV547TJ2771As82Ioi2rePm5t4LJhr02Aje9LcGAkV5C26McT351DwSYF8m9ZXFVi6D021zbkg8jAD6JDVM9iOw55Ug667P37a3G71XLpP9i270Rw81u8..08zl4k50Gwh0rWK6370m1MDJ8ljue301f287B40d982E730YVcGv82Q362ah5C919Z12PZMHEQS166fM9d94U5V70D439q2KgHcBU980..9801wV706S3m63cu4X16Er6qYn651GO6n48W3977NWf2hs28mGcu703d30wIe6Eb8818knP6RgnIidDZ3903J442Ps715605lMG8d0EUVv39760Sz2XiP2KKGkJ7A9g8..TRNG1o14b1886iq447d03m8427V8ED6QlhmEe057uT68vbQB30HV6o4Mt942R495nBu5SH5d..j6g0gahF8Bc40Fl96C09Yyr1835IZ2VH292X4jqEeYt4Zk40U1V..
                                                C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):777456
                                                Entropy (8bit):6.353934532007735
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:8E699954F6B5D64683412CC560938507
                                                SHA1:8CA6708B0F158EACCE3AC28B23C23ED42C168C29
                                                SHA-256:C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40
                                                SHA-512:13035106149C8D336189B4A6BDAF25E10AC0B027BAEA963B3EC66A815A572426B2E9485258447CF1362802A0F03A2AA257B276057590663161D9D55D5B737B02
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 32%
                                                Reputation:unknown
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O.........."..................d....... ....@..........................0............@...@.......@.........................T................................c................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................R..............@..@.reloc...u.......v...H..............@..B................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\33911166\viah.xls
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):626
                                                Entropy (8bit):5.540591955140838
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:39583EFD61806B202DC523FE9CDA7EE8
                                                SHA1:0B9870CBAFCFD8017719B7EFB0FF192C04F73946
                                                SHA-256:8D13B7155EAB011986B11319C58A49145BB3290E6CA6C1F41758365739C07496
                                                SHA-512:A66CA5978DBC2EEFD608CF08BB87CEB8DEFAF570353B8417417C6C39E72119298D31D74BFFAE495F2532B9B5FE54FDDDCCC1259DD350209ECD5338C2225050DE
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 7s8b4LG3Y20r0515Zv5G82g30196JD5XX16965Vi80gN9FiV3655838CdG06x2N82Q250a4g5y34Z4X2SXb8e5rd5J47xu0xQBKJ1h6bjOtLt16PeU7lQ0Xsam35NQ6mwYm5K1242Kp6..kQgr8yYw6N13ncn4D9GW0So986UTudHnI4o..h3h4eZ3970E367d738348zs11J6wdyc62Mv5..g4vFGv..NN1iX10Fsc5eor908udBY75Hv8..0kb46VBn7FUQ8591k21g13pL3tMW99b0sM5u45CsMkPDj02l3RzF7C421YmdV0h9f0h33P213u9i0QWklf5RFkE1ebTl808jU39490066I056bVN44l..MHo4CI0jq93U1768re35em7VD08F37321LElf87663MD1ar8418790klw4520Q59ut4E7t99vk88QBl8N3C..496u120J73F836Xm13oIs3N59d764wm65619pn8ZEJTIH2cr563g4ClS7x3t95Z0ipi50eRn355He47Rr8239MY27OPwySex53yTPgbf53P44y2bh7NPIyi3z0Y121Z7sSeO9772759zur0GVd13GfP7h8967f83Y7C378YlJ..
                                                C:\Users\user\AppData\Local\Temp\33911166\vvspktn.docx
                                                Process:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):566
                                                Entropy (8bit):5.503301815812772
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:F50497247FF0B9655419829B94AAB136
                                                SHA1:87BFA58A7442428899D2CFEFB207DF673FB37919
                                                SHA-256:754CD760794897FCF41FC99EADAD2E31F125653E8A2A7398288E746BAC1C9881
                                                SHA-512:CA57A5C1254520EA59E6D31CD8751F2508EA61618606226CCD9E41CF57C23257D974D6B23C665B983B5B780479506873595924F87160A816A3F3F511AE27750D
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 4RGr4a447sj6C1C384..55o8lt0n4ycuW2iQ4A94l74PU469qf7msQ8Mi072B2x5td0N5Px119rK13zYX7I67m..xK11m895U47vh902Bg187oqL678yk120pg444..qW8T30A3S2sMtqI8td738jkl0y3Gn7jEf1yH0jT8r554Y28N1Ua90lwt1639614ce34396jF61e29kBFC2..i2YFXAXC130tR57..kU016pE80FG0x361817FVI47P770EeU7Z33B83v775TOdL3R53Q3vB0Z9I9d368708A9AT0V17jh9P1E1tGX5eC0yp7sw3n3lBO6B4236276531EadB01153g20Z02yUf362r9iO47..40yB02M841HH8..1Y9QwmdiK71d4PGI30886993XHV22m7rV7OGr2sqLhgzzxHT687e5pKnDOm4c2u3Q5y2B7LR74Kn1b05130238r9001sCXi778WC46E20L91wCA85Xx1c0624v3290SKrPLxdeA6813a7U5kMfcnwBwwTeB6r149EG1dwE2bs1Qr0Mqa29SYJ..
                                                C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                Process:C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif
                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):45152
                                                Entropy (8bit):6.149629800481177
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:2867A3817C9245F7CF518524DFD18F28
                                                SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                Malicious:true
                                                Reputation:unknown
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                C:\Users\user\AppData\Local\Temp\tmp2BE4.tmp
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1308
                                                Entropy (8bit):5.103583470672722
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:990B7A403BC76992021F9FA8008904F2
                                                SHA1:42911051D889BC22633FB4EC99794202975260A8
                                                SHA-256:2C4DC85A9C8127D7F864AB718245EBC0C5B625C04837AC84E012429E956936EE
                                                SHA-512:C5FF697E356C84B83D18952A5EDA27E225E649B89F8E43BEE565C6DFC87B12D15D8AD0698C03D6915786120042DABFBCB11493E233B8B3B2742EE8C0C5E4A09C
                                                Malicious:true
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                C:\Users\user\AppData\Local\Temp\tmp2F02.tmp
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1310
                                                Entropy (8bit):5.109425792877704
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8
                                                Entropy (8bit):3.0
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:09F439F8276044197F56C9B93E11E0A8
                                                SHA1:8EE20441D07988E58B2594DDD07B87D13FFD08B8
                                                SHA-256:EA4302CC1AE911347FEF20023AEDCBBBD32FAFB4FA5126B1A76E556B4B00C0CE
                                                SHA-512:14B40E1B79510346B54239BECDE54890F6C44D0410B78FD8D7856352691C7D7D34419A601B3C76472462A1E7982AB4E37BE0809360B9F1C9019FAE915AE38A28
                                                Malicious:true
                                                Reputation:unknown
                                                Preview: ).....H
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):45
                                                Entropy (8bit):4.324534762707879
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:47370DB2229FE5D11F48C7C4DCF1D3DA
                                                SHA1:02F189B1593B564FAF6B30C1573A6C4156EEA2B8
                                                SHA-256:8DA13D1ABADD97A50839C4237102C680E32B80F56B8B594ACC289D603779F743
                                                SHA-512:0FAE24E7BA758031C3850E96BFB9F93B71E9CDF886A83F83F8B0BB57C76403DA0563E3B9117360968AA279927EB7FB8F77BA48B446635E60D159AFFB96979550
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                C:\Users\user\temp\gdljljtq.cpl
                                                Process:C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):78
                                                Entropy (8bit):4.830274579293434
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:516DFE5000E662A83C141F92FD1F5BCE
                                                SHA1:A96118D40F41AE06A8E3CAEAD9052F45D28692FC
                                                SHA-256:3A2E9484A8ED6BB903A1C03DA059D22F463608CD2BBDBBA833EE4F81C628BBA8
                                                SHA-512:22A8E5264B6BA380FC313087BF1515988D453111BDF0BCB8EB1F07460333FA5E066819F4BC20BDB75CA48A5F70E1F7EFECA526EEB75E8D1E3743D6642A068B98
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: [S3tt!ng]..stpth=%temp%..Key=Chrome..Dir3ctory=33911166..ExE_c=upstsdssm.pif..
                                                \Device\ConDrv
                                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1141
                                                Entropy (8bit):4.44831826838854
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.8363360657594985
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:KRSEL0000056286.JPG.exe
                                                File size:1096674
                                                MD5:d6f040b4d7d217b8525dff843feba635
                                                SHA1:8ed8beaceddf8e8e9ba4b601d1e985e5c7c2d7d9
                                                SHA256:940ad66c876976f4a05f12710687f5abb76443f693dd3986d1ff7a4c73fc866f
                                                SHA512:fcbd072ba0b64e41931cf9e5bb8b2b73fd18ee9788907f1791cb13a52450e5bc81732f7fcd0d8d4af737cca4e9b59658a5292129848dbb9a7197aa86e405a4b7
                                                SSDEEP:24576:rAOcZEhIj7BkIMcXzBQuX+a6TPY5I7nT1RMwaz7:t8GI3XXN6c5IzTXM7P
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

                                                File Icon

                                                Icon Hash:b491b4ecd336fb5b

                                                Static PE Info

                                                General

                                                Entrypoint:0x41e1f9
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x5E7C7DC7 [Thu Mar 26 10:02:47 2020 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:1
                                                File Version Major:5
                                                File Version Minor:1
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:1
                                                Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

                                                Entrypoint Preview

                                                Instruction
                                                call 00007F35809EA42Fh
                                                jmp 00007F35809E9E23h
                                                cmp ecx, dword ptr [0043D668h]
                                                jne 00007F35809E9F95h
                                                ret
                                                jmp 00007F35809EA5A5h
                                                ret
                                                and dword ptr [ecx+04h], 00000000h
                                                mov eax, ecx
                                                and dword ptr [ecx+08h], 00000000h
                                                mov dword ptr [ecx+04h], 00433068h
                                                mov dword ptr [ecx], 00434284h
                                                ret
                                                push ebp
                                                mov ebp, esp
                                                push esi
                                                push dword ptr [ebp+08h]
                                                mov esi, ecx
                                                call 00007F35809DD3A1h
                                                mov dword ptr [esi], 00434290h
                                                mov eax, esi
                                                pop esi
                                                pop ebp
                                                retn 0004h
                                                and dword ptr [ecx+04h], 00000000h
                                                mov eax, ecx
                                                and dword ptr [ecx+08h], 00000000h
                                                mov dword ptr [ecx+04h], 00434298h
                                                mov dword ptr [ecx], 00434290h
                                                ret
                                                lea eax, dword ptr [ecx+04h]
                                                mov dword ptr [ecx], 00434278h
                                                push eax
                                                call 00007F35809ED13Dh
                                                pop ecx
                                                ret
                                                push ebp
                                                mov ebp, esp
                                                push esi
                                                mov esi, ecx
                                                lea eax, dword ptr [esi+04h]
                                                mov dword ptr [esi], 00434278h
                                                push eax
                                                call 00007F35809ED126h
                                                test byte ptr [ebp+08h], 00000001h
                                                pop ecx
                                                je 00007F35809E9F9Ch
                                                push 0000000Ch
                                                push esi
                                                call 00007F35809E955Fh
                                                pop ecx
                                                pop ecx
                                                mov eax, esi
                                                pop esi
                                                pop ebp
                                                retn 0004h
                                                push ebp
                                                mov ebp, esp
                                                sub esp, 0Ch
                                                lea ecx, dword ptr [ebp-0Ch]
                                                call 00007F35809E9EFEh
                                                push 0043A410h
                                                lea eax, dword ptr [ebp-0Ch]
                                                push eax
                                                call 00007F35809EC825h
                                                int3
                                                push ebp
                                                mov ebp, esp
                                                sub esp, 0Ch

                                                Rich Headers

                                                Programming Language:
                                                • [ C ] VS2008 SP1 build 30729
                                                • [EXP] VS2015 UPD3.1 build 24215
                                                • [LNK] VS2015 UPD3.1 build 24215
                                                • [IMP] VS2008 SP1 build 30729
                                                • [C++] VS2015 UPD3.1 build 24215
                                                • [RES] VS2015 UPD3 build 24213

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x3b5400x34.rdata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3b5740x3c.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x4c28.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x670000x210c.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x397d00x54.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x342180x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x320000x260.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3aaec0x120.rdata
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x305810x30600False0.589268410853data6.70021125825IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rdata0x320000xa3320xa400False0.455030487805data5.23888424127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x3d0000x238b00x1200False0.368272569444data3.83993526939IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .gfids0x610000xe80x200False0.333984375data2.12166381533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0x620000x4c280x4e00False0.602263621795data6.36874241417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x670000x210c0x2200False0.786534926471data6.61038519378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                PNG0x625240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
                                                PNG0x6306c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
                                                RT_ICON0x646180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 134243974, next used block 1626799870
                                                RT_DIALOG0x649000x286dataEnglishUnited States
                                                RT_DIALOG0x64b880x13adataEnglishUnited States
                                                RT_DIALOG0x64cc40xecdataEnglishUnited States
                                                RT_DIALOG0x64db00x12edataEnglishUnited States
                                                RT_DIALOG0x64ee00x338dataEnglishUnited States
                                                RT_DIALOG0x652180x252dataEnglishUnited States
                                                RT_STRING0x6546c0x1e2dataEnglishUnited States
                                                RT_STRING0x656500x1ccdataEnglishUnited States
                                                RT_STRING0x6581c0x1b8dataEnglishUnited States
                                                RT_STRING0x659d40x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
                                                RT_STRING0x65b1c0x446dataEnglishUnited States
                                                RT_STRING0x65f640x166dataEnglishUnited States
                                                RT_STRING0x660cc0x152dataEnglishUnited States
                                                RT_STRING0x662200x10adataEnglishUnited States
                                                RT_STRING0x6632c0xbcdataEnglishUnited States
                                                RT_STRING0x663e80xd6dataEnglishUnited States
                                                RT_GROUP_ICON0x664c00x14data
                                                RT_MANIFEST0x664d40x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                Imports

                                                DLLImport
                                                KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                                                gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                10/13/21-08:49:24.622129UDP254DNS SPOOF query response with TTL of 1 min. and no authority53652988.8.8.8192.168.2.4
                                                10/13/21-08:49:30.043800UDP254DNS SPOOF query response with TTL of 1 min. and no authority53591238.8.8.8192.168.2.4
                                                10/13/21-08:50:01.852937UDP254DNS SPOOF query response with TTL of 1 min. and no authority53565348.8.8.8192.168.2.4
                                                10/13/21-08:50:27.576419UDP254DNS SPOOF query response with TTL of 1 min. and no authority53648018.8.8.8192.168.2.4
                                                10/13/21-08:50:59.183707UDP254DNS SPOOF query response with TTL of 1 min. and no authority53550468.8.8.8192.168.2.4

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 13, 2021 08:49:24.634686947 CEST4976548562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:24.658971071 CEST4856249765185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:25.206933022 CEST4976548562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:25.229690075 CEST4856249765185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:25.894480944 CEST4976548562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:25.918853998 CEST4856249765185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:30.050736904 CEST4976648562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:30.061970949 CEST4856249766185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:30.613795042 CEST4976648562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:30.639122009 CEST4856249766185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:31.207622051 CEST4976648562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:31.233571053 CEST4856249766185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:35.317673922 CEST4976948562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:35.328969955 CEST4856249769185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:35.832782030 CEST4976948562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:35.852721930 CEST4856249769185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:36.364105940 CEST4976948562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:36.385612965 CEST4856249769185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:40.396752119 CEST4977048562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:40.416944981 CEST4856249770185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:41.005158901 CEST4977048562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:41.023590088 CEST4856249770185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:41.708422899 CEST4977048562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:41.720798016 CEST4856249770185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:45.725672007 CEST4977148562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:45.744610071 CEST4856249771185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:46.255578041 CEST4977148562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:46.275187969 CEST4856249771185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:46.786947012 CEST4977148562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:46.810313940 CEST4856249771185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:50.839591980 CEST4977248562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:50.880799055 CEST4856249772185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:51.381108999 CEST4977248562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:51.407155991 CEST4856249772185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:51.912254095 CEST4977248562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:51.923489094 CEST4856249772185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:56.500642061 CEST4977548562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:56.514734983 CEST4856249775185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:57.147151947 CEST4977548562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:57.175626993 CEST4856249775185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:49:57.756596088 CEST4977548562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:49:57.787166119 CEST4856249775185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:01.854619980 CEST4979348562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:01.872023106 CEST4856249793185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:02.382056952 CEST4979348562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:02.396207094 CEST4856249793185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:02.897573948 CEST4979348562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:02.916098118 CEST4856249793185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:06.978290081 CEST4979448562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:06.989483118 CEST4856249794185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:07.492068052 CEST4979448562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:07.527298927 CEST4856249794185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:08.038671970 CEST4979448562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:08.050090075 CEST4856249794185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:12.055938005 CEST4980148562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:12.081363916 CEST4856249801185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:12.585937023 CEST4980148562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:12.603615046 CEST4856249801185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:13.117201090 CEST4980148562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:13.149315119 CEST4856249801185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:17.197591066 CEST4981648562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:17.232659101 CEST4856249816185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:17.773844004 CEST4981648562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:17.830178976 CEST4856249816185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:18.336383104 CEST4981648562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:18.366679907 CEST4856249816185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:22.369466066 CEST4981848562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:22.381351948 CEST4856249818185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:22.884411097 CEST4981848562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:22.937565088 CEST4856249818185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:23.446330070 CEST4981848562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:23.490242004 CEST4856249818185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:27.580359936 CEST4981948562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:27.600647926 CEST4856249819185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:28.102941990 CEST4981948562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:28.128304005 CEST4856249819185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:28.634335041 CEST4981948562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:28.657845974 CEST4856249819185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:33.366398096 CEST4982048562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:33.400626898 CEST4856249820185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:33.918035984 CEST4982048562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:33.947212934 CEST4856249820185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:34.447158098 CEST4982048562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:34.470874071 CEST4856249820185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:38.548623085 CEST4982148562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:38.594904900 CEST4856249821185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:39.103943110 CEST4982148562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:39.165860891 CEST4856249821185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:39.666320086 CEST4982148562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:39.687637091 CEST4856249821185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:43.699686050 CEST4982248562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:43.711111069 CEST4856249822185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:44.213743925 CEST4982248562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:44.234070063 CEST4856249822185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:44.744903088 CEST4982248562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:44.758888960 CEST4856249822185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:48.761919022 CEST4982348562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:48.833791018 CEST4856249823185.19.85.175192.168.2.4
                                                Oct 13, 2021 08:50:49.339410067 CEST4982348562192.168.2.4185.19.85.175
                                                Oct 13, 2021 08:50:49.380379915 CEST4856249823185.19.85.175192.168.2.4

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 13, 2021 08:49:24.601938963 CEST6529853192.168.2.48.8.8.8
                                                Oct 13, 2021 08:49:24.622128963 CEST53652988.8.8.8192.168.2.4
                                                Oct 13, 2021 08:49:30.023174047 CEST5912353192.168.2.48.8.8.8
                                                Oct 13, 2021 08:49:30.043800116 CEST53591238.8.8.8192.168.2.4
                                                Oct 13, 2021 08:49:35.296396971 CEST4971453192.168.2.48.8.8.8
                                                Oct 13, 2021 08:49:35.314847946 CEST53497148.8.8.8192.168.2.4
                                                Oct 13, 2021 08:49:56.480530024 CEST4925753192.168.2.48.8.8.8
                                                Oct 13, 2021 08:49:56.498676062 CEST53492578.8.8.8192.168.2.4
                                                Oct 13, 2021 08:50:01.832587004 CEST5653453192.168.2.48.8.8.8
                                                Oct 13, 2021 08:50:01.852936983 CEST53565348.8.8.8192.168.2.4
                                                Oct 13, 2021 08:50:06.958302975 CEST5662753192.168.2.48.8.8.8
                                                Oct 13, 2021 08:50:06.976814985 CEST53566278.8.8.8192.168.2.4
                                                Oct 13, 2021 08:50:27.557086945 CEST6480153192.168.2.48.8.8.8
                                                Oct 13, 2021 08:50:27.576419115 CEST53648018.8.8.8192.168.2.4
                                                Oct 13, 2021 08:50:33.346246004 CEST6172153192.168.2.48.8.8.8
                                                Oct 13, 2021 08:50:33.364629030 CEST53617218.8.8.8192.168.2.4
                                                Oct 13, 2021 08:50:38.527420998 CEST5125553192.168.2.48.8.8.8
                                                Oct 13, 2021 08:50:38.546122074 CEST53512558.8.8.8192.168.2.4
                                                Oct 13, 2021 08:50:59.161433935 CEST5504653192.168.2.48.8.8.8
                                                Oct 13, 2021 08:50:59.183706999 CEST53550468.8.8.8192.168.2.4
                                                Oct 13, 2021 08:51:04.375217915 CEST4961253192.168.2.48.8.8.8
                                                Oct 13, 2021 08:51:04.393402100 CEST53496128.8.8.8192.168.2.4
                                                Oct 13, 2021 08:51:09.531922102 CEST4928553192.168.2.48.8.8.8
                                                Oct 13, 2021 08:51:09.551088095 CEST53492858.8.8.8192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Oct 13, 2021 08:49:24.601938963 CEST192.168.2.48.8.8.80x3741Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                Oct 13, 2021 08:49:30.023174047 CEST192.168.2.48.8.8.80x9c44Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                Oct 13, 2021 08:49:35.296396971 CEST192.168.2.48.8.8.80x73f7Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                Oct 13, 2021 08:49:56.480530024 CEST192.168.2.48.8.8.80xddf6Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                Oct 13, 2021 08:50:01.832587004 CEST192.168.2.48.8.8.80x3ccdStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                Oct 13, 2021 08:50:06.958302975 CEST192.168.2.48.8.8.80x105cStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                Oct 13, 2021 08:50:27.557086945 CEST192.168.2.48.8.8.80xc403Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                Oct 13, 2021 08:50:33.346246004 CEST192.168.2.48.8.8.80x3f56Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                Oct 13, 2021 08:50:38.527420998 CEST192.168.2.48.8.8.80xaa96Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                Oct 13, 2021 08:50:59.161433935 CEST192.168.2.48.8.8.80xc626Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                Oct 13, 2021 08:51:04.375217915 CEST192.168.2.48.8.8.80x468Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
                                                Oct 13, 2021 08:51:09.531922102 CEST192.168.2.48.8.8.80xabe8Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Oct 13, 2021 08:49:24.622128963 CEST8.8.8.8192.168.2.40x3741No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                                Oct 13, 2021 08:49:30.043800116 CEST8.8.8.8192.168.2.40x9c44No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                                Oct 13, 2021 08:49:35.314847946 CEST8.8.8.8192.168.2.40x73f7No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                                Oct 13, 2021 08:49:56.498676062 CEST8.8.8.8192.168.2.40xddf6No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                                Oct 13, 2021 08:50:01.852936983 CEST8.8.8.8192.168.2.40x3ccdNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                                Oct 13, 2021 08:50:06.976814985 CEST8.8.8.8192.168.2.40x105cNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                                Oct 13, 2021 08:50:27.576419115 CEST8.8.8.8192.168.2.40xc403No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                                Oct 13, 2021 08:50:33.364629030 CEST8.8.8.8192.168.2.40x3f56No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                                Oct 13, 2021 08:50:38.546122074 CEST8.8.8.8192.168.2.40xaa96No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                                Oct 13, 2021 08:50:59.183706999 CEST8.8.8.8192.168.2.40xc626No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                                Oct 13, 2021 08:51:04.393402100 CEST8.8.8.8192.168.2.40x468No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
                                                Oct 13, 2021 08:51:09.551088095 CEST8.8.8.8192.168.2.40xabe8No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)

                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: KRSEL0000056286.JPG.exe PID: 6976 Parent PID: 2432

                                                General

                                                Start time:08:49:02
                                                Start date:13/10/2021
                                                Path:C:\Users\user\Desktop\KRSEL0000056286.JPG.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\KRSEL0000056286.JPG.exe'
                                                Imagebase:0xa30000
                                                File size:1096674 bytes
                                                MD5 hash:D6F040B4D7D217B8525DFF843FEBA635
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low

                                                Analysis Process: upstsdssm.pif PID: 6032 Parent PID: 6976

                                                General

                                                Start time:08:49:11
                                                Start date:13/10/2021
                                                Path:C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif' sqbr.wlw
                                                Imagebase:0x950000
                                                File size:777456 bytes
                                                MD5 hash:8E699954F6B5D64683412CC560938507
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.688014335.0000000004B63000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.689229706.0000000004AFA000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.689229706.0000000004AFA000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.689229706.0000000004AFA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.689830421.0000000004B2E000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.689830421.0000000004B2E000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.689830421.0000000004B2E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.691685371.0000000003D67000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.691685371.0000000003D67000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.691685371.0000000003D67000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.687930988.0000000004A91000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.687930988.0000000004A91000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.687930988.0000000004A91000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.689465374.0000000004AC6000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.689465374.0000000004AC6000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.689465374.0000000004AC6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.687770374.0000000004A91000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.687770374.0000000004A91000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.687770374.0000000004A91000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.687890008.0000000004AC6000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.687890008.0000000004AC6000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.687890008.0000000004AC6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.689659391.0000000004B2E000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.689659391.0000000004B2E000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.689659391.0000000004B2E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.687860827.0000000003D67000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.687860827.0000000003D67000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.687860827.0000000003D67000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.690506336.0000000004A91000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.690506336.0000000004A91000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.690506336.0000000004A91000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.687835172.0000000004AFA000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.687835172.0000000004AFA000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.687835172.0000000004AFA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.688888724.0000000004B63000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.688888724.0000000004B63000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.688888724.0000000004B63000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Antivirus matches:
                                                • Detection: 32%, ReversingLabs
                                                Reputation:low

                                                Analysis Process: RegSvcs.exe PID: 6404 Parent PID: 6032

                                                General

                                                Start time:08:49:16
                                                Start date:13/10/2021
                                                Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                Imagebase:0xef0000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.926541928.00000000036F1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.928515040.00000000063A0000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.928515040.00000000063A0000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.927287391.0000000004739000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.927287391.0000000004739000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.928459238.0000000006380000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.928459238.0000000006380000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.925657154.0000000001302000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.925657154.0000000001302000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.925657154.0000000001302000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.928835225.0000000006FB0000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.928835225.0000000006FB0000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.928835225.0000000006FB0000.00000004.00020000.sdmp, Author: Joe Security
                                                Reputation:high

                                                Analysis Process: schtasks.exe PID: 5036 Parent PID: 6404

                                                General

                                                Start time:08:49:21
                                                Start date:13/10/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2BE4.tmp'
                                                Imagebase:0xc40000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 5560 Parent PID: 5036

                                                General

                                                Start time:08:49:21
                                                Start date:13/10/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: schtasks.exe PID: 5312 Parent PID: 6404

                                                General

                                                Start time:08:49:22
                                                Start date:13/10/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2F02.tmp'
                                                Imagebase:0xc40000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 5492 Parent PID: 5312

                                                General

                                                Start time:08:49:22
                                                Start date:13/10/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: RegSvcs.exe PID: 5484 Parent PID: 968

                                                General

                                                Start time:08:49:22
                                                Start date:13/10/2021
                                                Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
                                                Imagebase:0x490000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 1372 Parent PID: 5484

                                                General

                                                Start time:08:49:23
                                                Start date:13/10/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: dhcpmon.exe PID: 5108 Parent PID: 968

                                                General

                                                Start time:08:49:25
                                                Start date:13/10/2021
                                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                Imagebase:0xd60000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Antivirus matches:
                                                • Detection: 0%, Metadefender, Browse
                                                • Detection: 0%, ReversingLabs
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 3280 Parent PID: 5108

                                                General

                                                Start time:08:49:25
                                                Start date:13/10/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: upstsdssm.pif PID: 3296 Parent PID: 3424

                                                General

                                                Start time:08:49:26
                                                Start date:13/10/2021
                                                Path:C:\Users\user\AppData\Local\Temp\33911166\upstsdssm.pif
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Local\Temp\33911166\UPSTSD~1.PIF' C:\Users\user\AppData\Local\Temp\33911166\sqbr.wlw
                                                Imagebase:0x950000
                                                File size:777456 bytes
                                                MD5 hash:8E699954F6B5D64683412CC560938507
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.720524354.0000000004651000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.720574571.00000000046BA000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.720574571.00000000046BA000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.720574571.00000000046BA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.720414849.0000000003967000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.720414849.0000000003967000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.720414849.0000000003967000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.720446261.0000000004686000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.720446261.0000000004686000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.720446261.0000000004686000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.722243638.0000000004723000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.722243638.0000000004723000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.722243638.0000000004723000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.723424340.00000000046EE000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.723424340.00000000046EE000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.723424340.00000000046EE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.723331373.00000000046EE000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.723331373.00000000046EE000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.723331373.00000000046EE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.723579153.0000000003967000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.723579153.0000000003967000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.723579153.0000000003967000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.723493908.0000000004651000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.723493908.0000000004651000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.723493908.0000000004651000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.720373529.00000000046BA000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.720373529.00000000046BA000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.720373529.00000000046BA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.720687094.00000000046EF000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.720687094.00000000046EF000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.720687094.00000000046EF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.720808959.0000000004757000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.720808959.0000000004757000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.720808959.0000000004757000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.720643972.00000000046EF000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.720643972.00000000046EF000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.720643972.00000000046EF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.720715564.0000000004723000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.720715564.0000000004723000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.720715564.0000000004723000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.722731102.00000000046BA000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.722731102.00000000046BA000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.722731102.00000000046BA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.723107754.0000000004686000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.723107754.0000000004686000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.723107754.0000000004686000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000003.720259774.0000000004651000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000003.720259774.0000000004651000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000F.00000003.720259774.0000000004651000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Analysis Process: RegSvcs.exe PID: 7128 Parent PID: 3296

                                                General

                                                Start time:08:49:32
                                                Start date:13/10/2021
                                                Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                Imagebase:0x5e0000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.742141197.0000000002F11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.741599350.00000000009B2000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.741599350.00000000009B2000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.741599350.00000000009B2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.742225136.0000000003F19000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.742225136.0000000003F19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                                Analysis Process: wscript.exe PID: 6200 Parent PID: 3424

                                                General

                                                Start time:08:49:34
                                                Start date:13/10/2021
                                                Path:C:\Windows\System32\wscript.exe
                                                Wow64 process (32bit):false
                                                Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\33911166\Update.vbs'
                                                Imagebase:0x7ff65ee40000
                                                File size:163840 bytes
                                                MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language

                                                Analysis Process: dhcpmon.exe PID: 6440 Parent PID: 3424

                                                General

                                                Start time:08:49:42
                                                Start date:13/10/2021
                                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                Imagebase:0xf50000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET

                                                Analysis Process: conhost.exe PID: 2600 Parent PID: 6440

                                                General

                                                Start time:08:49:42
                                                Start date:13/10/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language

                                                Disassembly

                                                Code Analysis

                                                Reset < >