Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO#042.exe

Overview

General Information

Sample Name:PO#042.exe
Analysis ID:528392
MD5:081ec29dd4df8134f1f0c51f5620dd1a
SHA1:a41a3e4874f2dedcc28a732f12c2a9e0efc84995
SHA256:d9aa3e1081c4300ab2c24df237e2ce1f3d66e0c1b8856a2a01d5b95449dccf58
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore AveMaria MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected MailPassView
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PO#042.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\PO#042.exe" MD5: 081EC29DD4DF8134F1F0C51F5620DD1A)
    • schtasks.exe (PID: 6516 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp5821.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO#042.exe (PID: 6576 cmdline: {path} MD5: 081EC29DD4DF8134F1F0C51F5620DD1A)
      • schtasks.exe (PID: 6488 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE454.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • PO#042.exe (PID: 6708 cmdline: C:\Users\user\Desktop\PO#042.exe 0 MD5: 081EC29DD4DF8134F1F0C51F5620DD1A)
    • schtasks.exe (PID: 3576 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp82EA.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO#042.exe (PID: 5768 cmdline: {path} MD5: 081EC29DD4DF8134F1F0C51F5620DD1A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "15c24b29-1f3d-4f9d-946e-af4f83ba", "Group": "Blaze", "Domain1": "rickjohssn.ddns.net", "Domain2": "", "Port": 5612, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 74 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.PO#042.exe.5700000.13.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      11.2.PO#042.exe.5700000.13.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      17.0.PO#042.exe.400000.12.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      17.0.PO#042.exe.400000.12.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      17.0.PO#042.exe.400000.12.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 160 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PO#042.exe, ProcessId: 6576, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PO#042.exe, ProcessId: 6576, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Suspicius Add Task From User AppData TempShow sources
        Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp5821.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp5821.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#042.exe" , ParentImage: C:\Users\user\Desktop\PO#042.exe, ParentProcessId: 7120, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp5821.tmp, ProcessId: 6516

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PO#042.exe, ProcessId: 6576, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PO#042.exe, ProcessId: 6576, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "15c24b29-1f3d-4f9d-946e-af4f83ba", "Group": "Blaze", "Domain1": "rickjohssn.ddns.net", "Domain2": "", "Port": 5612, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: PO#042.exeReversingLabs: Detection: 25%
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 11.2.PO#042.exe.40d7df0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40dca8f.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTR
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\qCsCiBEHcy.exeReversingLabs: Detection: 33%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.442f8c0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fbeac4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fc30ed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.5ab4629.14.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.5ab0000.15.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fbeac4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.PO#042.exe.450f8c0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.5ab0000.15.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.4515f40.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fb9c8e.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40d7df0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40e6694.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40dca8f.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.PO#042.exe.450f8c0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.4490d30.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.442f8c0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.301904018.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.327764253.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.326127526.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.553259676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.303219427.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.327281473.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.305672479.0000000004331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.302397117.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.342567013.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.302780129.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6708, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 5768, type: MEMORYSTR
        Machine Learning detection for sampleShow sources
        Source: PO#042.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\qCsCiBEHcy.exeJoe Sandbox ML: detected
        Source: 17.0.PO#042.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.PO#042.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.PO#042.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 17.0.PO#042.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.PO#042.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 17.0.PO#042.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 17.0.PO#042.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 17.2.PO#042.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.PO#042.exe.5ab0000.15.unpackAvira: Label: TR/NanoCore.fadte
        Source: 11.0.PO#042.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.PO#042.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 17.0.PO#042.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.PO#042.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: PO#042.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: C:\Users\user\Desktop\PO#042.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: PO#042.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.558192518.00000000043BA000.00000004.00000001.sdmp
        Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: rickjohssn.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: rickjohssn.ddns.net
        Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
        Source: Joe Sandbox ViewIP Address: 194.5.97.207 194.5.97.207
        Source: global trafficTCP traffic: 192.168.2.3:49715 -> 194.5.97.207:5612
        Source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
        Source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
        Source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: PO#042.exe, 00000001.00000003.283635798.00000000057B2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: PO#042.exe, 00000001.00000003.283635798.00000000057B2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comm
        Source: PO#042.exe, 00000001.00000003.283635798.00000000057B2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn
        Source: PO#042.exe, 00000001.00000003.283635798.00000000057B2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comt
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: PO#042.exe, 00000001.00000003.287410020.00000000057E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: PO#042.exe, 00000001.00000003.286852394.00000000057E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlf
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: PO#042.exe, 00000001.00000002.307335981.00000000057B0000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.303866518.00000000057B0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcea
        Source: PO#042.exe, 00000001.00000002.307335981.00000000057B0000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.303866518.00000000057B0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdia
        Source: PO#042.exe, 00000001.00000002.307335981.00000000057B0000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.303866518.00000000057B0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: PO#042.exe, 00000001.00000003.282957394.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.282795054.00000000057B9000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: PO#042.exe, 00000001.00000003.282808376.00000000057BE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.282795054.00000000057B9000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnI
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: PO#042.exe, 00000001.00000003.289648753.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289683056.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289611501.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289727607.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289565689.00000000057DE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/den
        Source: PO#042.exe, 00000001.00000003.289347056.00000000057DD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289209887.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289491308.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289434100.00000000057DD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289252631.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289462709.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289299576.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289393307.00000000057DD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289528892.00000000057DE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: PO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0_
        Source: PO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
        Source: PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
        Source: PO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
        Source: PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
        Source: PO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
        Source: PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: PO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/v
        Source: PO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
        Source: PO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
        Source: PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sl-s
        Source: PO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
        Source: PO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tali
        Source: PO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
        Source: PO#042.exe, 0000000B.00000002.558192518.00000000043BA000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: PO#042.exe, 00000001.00000003.281791395.00000000057CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comQx
        Source: PO#042.exe, 00000001.00000003.281791395.00000000057CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
        Source: PO#042.exe, 00000001.00000003.281791395.00000000057CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn-u
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283148319.00000000057ED000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283615381.00000000057BB000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283582203.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: PO#042.exe, 00000001.00000003.283702854.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283641891.00000000057BC000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283615381.00000000057BB000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283582203.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comh
        Source: PO#042.exe, 00000001.00000003.283641891.00000000057BC000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283615381.00000000057BB000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283582203.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
        Source: PO#042.exe, 00000001.00000003.283148319.00000000057ED000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comt
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: unknownDNS traffic detected: queries for: rickjohssn.ddns.net
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_052231BA WSARecv,
        Source: PO#042.exe, 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 11.2.PO#042.exe.40d7df0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40dca8f.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTR
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.442f8c0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fbeac4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fc30ed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.5ab4629.14.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.5ab0000.15.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fbeac4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.PO#042.exe.450f8c0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.5ab0000.15.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.4515f40.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fb9c8e.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40d7df0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40e6694.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40dca8f.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.PO#042.exe.450f8c0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.4490d30.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.442f8c0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.301904018.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.327764253.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.326127526.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.553259676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.303219427.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.327281473.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.305672479.0000000004331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.302397117.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.342567013.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.302780129.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6708, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 5768, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 11.2.PO#042.exe.5700000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.PO#042.exe.442f8c0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.PO#042.exe.442f8c0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.PO#042.exe.3fbeac4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.64d4c9f.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.6470000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.PO#042.exe.3fc30ed.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.PO#042.exe.5ab4629.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.5ab0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.6470000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.3154bf4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.427e406.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.317546c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.PO#042.exe.3fbeac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.PO#042.exe.6490000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.64d0000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.6510000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.426467d.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.3160e00.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.PO#042.exe.4457555.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.64c0000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.64c0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.427e406.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.3.PO#042.exe.444b321.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.6490000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.PO#042.exe.450f8c0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.PO#042.exe.450f8c0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.PO#042.exe.6510000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.6450000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.64de8a4.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.5ab0000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.PO#042.exe.6450000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.40d7df0.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.PO#042.exe.4515f40.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.PO#042.exe.4515f40.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.PO#042.exe.2f93890.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.PO#042.exe.3fb9c8e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.PO#042.exe.3fb9c8e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.PO#042.exe.64d0000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.PO#042.exe.425aa78.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.PO#042.exe.446bb86.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.PO#042.exe.450f8c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.PO#042.exe.450f8c0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.PO#042.exe.317546c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.PO#042.exe.4490d30.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.PO#042.exe.4490d30.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.PO#042.exe.30e1618.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.PO#042.exe.442f8c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.PO#042.exe.442f8c0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000000.301904018.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.301904018.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000000.327764253.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000000.327764253.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000000.326127526.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000000.326127526.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.560554791.00000000064D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.553259676.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.553259676.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000000.303219427.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.303219427.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000000.327281473.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000000.327281473.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.560527009.00000000064C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.305672479.0000000004331000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.305672479.0000000004331000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.560629867.0000000006510000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.302397117.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.302397117.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.342567013.0000000002F71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.560312852.0000000006470000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.560217789.0000000006450000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.302780129.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.302780129.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.560367349.0000000006490000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.559222634.0000000005700000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PO#042.exe PID: 6708, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PO#042.exe PID: 6708, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PO#042.exe PID: 5768, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PO#042.exe PID: 5768, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: PO#042.exe
        Source: PO#042.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: 11.2.PO#042.exe.5700000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.5700000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.PO#042.exe.442f8c0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.PO#042.exe.442f8c0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.PO#042.exe.442f8c0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.PO#042.exe.3fbeac4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.PO#042.exe.3fbeac4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.64d4c9f.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.64d4c9f.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.6470000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.6470000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.PO#042.exe.3fc30ed.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.PO#042.exe.3fc30ed.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.PO#042.exe.5ab4629.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.5ab4629.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.5ab0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.5ab0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.6470000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.6470000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.3154bf4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.3154bf4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.427e406.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.427e406.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.317546c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.317546c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.PO#042.exe.3fbeac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.PO#042.exe.3fbeac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.PO#042.exe.6490000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.6490000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.64d0000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.64d0000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.6510000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.6510000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.426467d.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.426467d.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.3160e00.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.3160e00.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.3.PO#042.exe.4457555.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.PO#042.exe.4457555.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.64c0000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.64c0000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.64c0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.64c0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.427e406.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.427e406.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.3.PO#042.exe.444b321.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.PO#042.exe.444b321.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.6490000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.6490000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.PO#042.exe.450f8c0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.PO#042.exe.450f8c0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.PO#042.exe.450f8c0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.PO#042.exe.6510000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.6510000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.6450000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.6450000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.64de8a4.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.64de8a4.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.5ab0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.5ab0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.PO#042.exe.6450000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.6450000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.40d7df0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.40d7df0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.PO#042.exe.4515f40.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.PO#042.exe.4515f40.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.PO#042.exe.2f93890.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.PO#042.exe.2f93890.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.PO#042.exe.3fb9c8e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.PO#042.exe.3fb9c8e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.PO#042.exe.3fb9c8e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.PO#042.exe.64d0000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.64d0000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.PO#042.exe.425aa78.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.425aa78.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.3.PO#042.exe.446bb86.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.PO#042.exe.446bb86.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.PO#042.exe.450f8c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.PO#042.exe.450f8c0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.PO#042.exe.317546c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.PO#042.exe.4490d30.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.PO#042.exe.4490d30.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.PO#042.exe.30e1618.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.PO#042.exe.30e1618.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.PO#042.exe.442f8c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.PO#042.exe.442f8c0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000000.301904018.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.301904018.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000000.327764253.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000000.327764253.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000000.326127526.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000000.326127526.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.560554791.00000000064D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.560554791.00000000064D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000B.00000002.553259676.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.553259676.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000000.303219427.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.303219427.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000000.327281473.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000000.327281473.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.560527009.00000000064C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.560527009.00000000064C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.305672479.0000000004331000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.305672479.0000000004331000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.560629867.0000000006510000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.560629867.0000000006510000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000B.00000000.302397117.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.302397117.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.342567013.0000000002F71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.560312852.0000000006470000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.560312852.0000000006470000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000B.00000002.560217789.0000000006450000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.560217789.0000000006450000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000B.00000000.302780129.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.302780129.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.560367349.0000000006490000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.560367349.0000000006490000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000B.00000002.559222634.0000000005700000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.559222634.0000000005700000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PO#042.exe PID: 6708, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PO#042.exe PID: 6708, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PO#042.exe PID: 5768, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PO#042.exe PID: 5768, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05341758
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05341747
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05342630
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05342623
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05340006
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05340070
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05340670
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05340660
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05341AA8
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05341A98
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05527198
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_055281B2
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05521070
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05529030
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_055278C9
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552B328
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_055222E0
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05527D5C
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552B170
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552B16A
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552711F
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552BDF8
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552AD9A
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552ADA8
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552105F
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05529460
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_055210AF
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552AF58
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552AF48
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05528FDA
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552A7F0
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552A7E0
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05522398
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05526649
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05521633
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552AA90
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_055296AA
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_01107AC1
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_02CBAE38
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_02CB2FA8
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_02CB23A0
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_02CB3850
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_02CB9168
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_02CB8568
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_02CB922F
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_02CB306F
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_054216D8
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_054225A0
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_054225B0
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_05420660
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_05420070
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_05420670
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_05420006
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_05421A1A
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_05421A28
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_054216C8
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D25F8
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D7198
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D81A8
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D1070
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D9030
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D78C9
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055DB328
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D22E0
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D7D5C
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055DB170
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055DB160
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D711F
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055DBDF8
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055DADA8
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055DADA0
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D105F
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D9460
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D10AF
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055DAF58
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055DAF48
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D8FDA
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055DA7F0
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055DA7E0
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D2398
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D6649
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055D1633
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 14_2_055DAA90
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 17_2_051B3850
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 17_2_051B2FA8
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 17_2_051B23A0
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 17_2_051B306F
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_05221A82 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_05221A47 NtQuerySystemInformation,
        Source: PO#042.exeBinary or memory string: OriginalFilename vs PO#042.exe
        Source: PO#042.exe, 00000001.00000002.308683307.0000000006DA0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO#042.exe
        Source: PO#042.exe, 00000001.00000002.306918884.0000000005670000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs PO#042.exe
        Source: PO#042.exe, 00000001.00000002.304875999.000000000338E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO#042.exe
        Source: PO#042.exeBinary or memory string: OriginalFilename vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557389681.00000000030D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.560554791.00000000064D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.560554791.00000000064D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.560554791.00000000064D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.559544744.0000000005AD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.560527009.00000000064C0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.560629867.0000000006510000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.558192518.00000000043BA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557931863.0000000004200000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557931863.0000000004200000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557931863.0000000004200000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.557931863.0000000004200000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.560312852.0000000006470000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.560217789.0000000006450000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.559222634.0000000005700000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000002.560367349.0000000006490000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000003.525896857.0000000004427000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000003.525896857.0000000004427000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000003.525896857.0000000004427000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000003.525896857.0000000004427000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000003.525896857.0000000004427000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000003.525896857.0000000004427000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000003.525896857.0000000004427000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000B.00000003.525896857.0000000004427000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exeBinary or memory string: OriginalFilename vs PO#042.exe
        Source: PO#042.exe, 0000000E.00000002.331230747.00000000071C0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO#042.exe
        Source: PO#042.exe, 0000000E.00000002.330653031.0000000005690000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs PO#042.exe
        Source: PO#042.exe, 0000000E.00000002.329276713.000000000346E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO#042.exe
        Source: PO#042.exe, 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO#042.exe
        Source: PO#042.exeBinary or memory string: OriginalFilename vs PO#042.exe
        Source: PO#042.exe, 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PO#042.exe
        Source: PO#042.exe, 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 00000011.00000002.342567013.0000000002F71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exe, 00000011.00000002.342567013.0000000002F71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PO#042.exe
        Source: PO#042.exeBinary or memory string: OriginalFilenamejqHcjoY.exe@ vs PO#042.exe
        Source: PO#042.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: qCsCiBEHcy.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: PO#042.exeReversingLabs: Detection: 25%
        Source: C:\Users\user\Desktop\PO#042.exeFile read: C:\Users\user\Desktop\PO#042.exeJump to behavior
        Source: PO#042.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\PO#042.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\PO#042.exe "C:\Users\user\Desktop\PO#042.exe"
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp5821.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Users\user\Desktop\PO#042.exe {path}
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE454.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\PO#042.exe C:\Users\user\Desktop\PO#042.exe 0
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp82EA.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Users\user\Desktop\PO#042.exe {path}
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp5821.tmp
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Users\user\Desktop\PO#042.exe {path}
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE454.tmp
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp82EA.tmp
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Users\user\Desktop\PO#042.exe {path}
        Source: C:\Users\user\Desktop\PO#042.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_05221842 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_0522180B AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\PO#042.exeFile created: C:\Users\user\AppData\Roaming\qCsCiBEHcy.exeJump to behavior
        Source: C:\Users\user\Desktop\PO#042.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5821.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/10@15/1
        Source: C:\Users\user\Desktop\PO#042.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
        Source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
        Source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
        Source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
        Source: 11.0.PO#042.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.0.PO#042.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 11.0.PO#042.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.0.PO#042.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 11.0.PO#042.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.0.PO#042.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 11.0.PO#042.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.0.PO#042.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 11.0.PO#042.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.0.PO#042.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 11.2.PO#042.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.2.PO#042.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\PO#042.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PO#042.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\PO#042.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\PO#042.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PO#042.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\PO#042.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\PO#042.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PO#042.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\PO#042.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\PO#042.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PO#042.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{15c24b29-1f3d-4f9d-946e-af4f83ba5e28}
        Source: C:\Users\user\Desktop\PO#042.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3672:120:WilError_01
        Source: 11.0.PO#042.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 11.0.PO#042.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 11.0.PO#042.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 11.0.PO#042.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 11.0.PO#042.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 11.0.PO#042.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 11.0.PO#042.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 11.0.PO#042.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 11.0.PO#042.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: C:\Users\user\Desktop\PO#042.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: C:\Users\user\Desktop\PO#042.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: PO#042.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: PO#042.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.558192518.00000000043BA000.00000004.00000001.sdmp
        Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: PO#042.exe, 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: PO#042.exe, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: qCsCiBEHcy.exe.1.dr, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 1.2.PO#042.exe.ce0000.0.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 1.0.PO#042.exe.ce0000.0.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.PO#042.exe.8c0000.0.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.PO#042.exe.8c0000.9.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.PO#042.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.PO#042.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.PO#042.exe.8c0000.11.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.PO#042.exe.8c0000.2.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.PO#042.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.PO#042.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.PO#042.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.PO#042.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.PO#042.exe.8c0000.1.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.PO#042.exe.8c0000.13.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.PO#042.exe.8c0000.7.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.PO#042.exe.8c0000.3.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.PO#042.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.PO#042.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.PO#042.exe.8c0000.5.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.0.PO#042.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.PO#042.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.PO#042.exe.8c0000.1.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 11.2.PO#042.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.PO#042.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_01552851 push edi; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_01552C10 push ecx; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_01552C1D push eax; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_01552CC5 push edi; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_01552C35 push ecx; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_015527B4 push eax; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_015528BD push edi; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_01552CB9 push edi; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_01552E60 push eax; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_01552BED push ecx; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_01552869 push edi; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_053432C3 push ecx; iretd
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552D9D7 push dword ptr [ebp-49CAEAC6h]; retf
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_0552DC04 push ebp; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_055298A8 pushfd ; retf
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05529770 pushad ; retf
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 1_2_05524EA8 push ebx; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010F3091 push eax; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010F28BD push edi; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010F27B4 push eax; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010F2DCD push edi; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010F2D48 push ecx; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010F2DD9 push edi; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010F2F54 push eax; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010F3454 push eax; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010F2851 push edi; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010F2D6D push eax; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010F2869 push edi; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010F2D60 push ecx; ret
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_011081DB push eax; retf
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_011081C3 push eax; retf
        Source: initial sampleStatic PE information: section name: .text entropy: 7.96966577385
        Source: initial sampleStatic PE information: section name: .text entropy: 7.96966577385
        Source: 11.0.PO#042.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.0.PO#042.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 11.0.PO#042.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.0.PO#042.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 11.0.PO#042.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.0.PO#042.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 11.0.PO#042.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 11.0.PO#042.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.0.PO#042.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.0.PO#042.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 11.2.PO#042.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.2.PO#042.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\PO#042.exeFile created: C:\Users\user\AppData\Roaming\qCsCiBEHcy.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp5821.tmp
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PO#042.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 7120, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6708, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: PO#042.exe, 00000001.00000002.304844229.000000000335B000.00000004.00000001.sdmp, PO#042.exe, 0000000E.00000002.329238879.000000000343B000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: PO#042.exe, 00000001.00000002.304844229.000000000335B000.00000004.00000001.sdmp, PO#042.exe, 0000000E.00000002.329238879.000000000343B000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\PO#042.exe TID: 5140Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\PO#042.exe TID: 6932Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\PO#042.exe TID: 6932Thread sleep count: 309 > 30
        Source: C:\Users\user\Desktop\PO#042.exe TID: 6932Thread sleep count: 1075 > 30
        Source: C:\Users\user\Desktop\PO#042.exe TID: 6924Thread sleep count: 297 > 30
        Source: C:\Users\user\Desktop\PO#042.exe TID: 6908Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\PO#042.exe TID: 6884Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\PO#042.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PO#042.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PO#042.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PO#042.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PO#042.exeWindow / User API: threadDelayed 1075
        Source: C:\Users\user\Desktop\PO#042.exeWindow / User API: foregroundWindowGot 776
        Source: C:\Users\user\Desktop\PO#042.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_052229D2 GetSystemInfo,
        Source: C:\Users\user\Desktop\PO#042.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PO#042.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PO#042.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PO#042.exeThread delayed: delay time: 922337203685477
        Source: PO#042.exe, 0000000E.00000002.329238879.000000000343B000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
        Source: PO#042.exe, 0000000E.00000002.329238879.000000000343B000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: PO#042.exe, 0000000E.00000002.329238879.000000000343B000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: PO#042.exe, 0000000E.00000002.329238879.000000000343B000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: PO#042.exe, 0000000E.00000002.329238879.000000000343B000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: PO#042.exe, 0000000E.00000002.329238879.000000000343B000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: PO#042.exe, 0000000E.00000002.329238879.000000000343B000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: PO#042.exe, 0000000E.00000002.329238879.000000000343B000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: PO#042.exe, 0000000E.00000002.329238879.000000000343B000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Users\user\Desktop\PO#042.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\PO#042.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\PO#042.exeMemory written: C:\Users\user\Desktop\PO#042.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\PO#042.exeMemory written: C:\Users\user\Desktop\PO#042.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp5821.tmp
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Users\user\Desktop\PO#042.exe {path}
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE454.tmp
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp82EA.tmp
        Source: C:\Users\user\Desktop\PO#042.exeProcess created: C:\Users\user\Desktop\PO#042.exe {path}
        Source: PO#042.exe, 0000000B.00000002.557737416.0000000003378000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557608800.0000000003263000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557711902.0000000003376000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.557581847.000000000325F000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.556730213.0000000001620000.00000002.00020000.sdmpBinary or memory string: Program Manager
        Source: PO#042.exe, 0000000B.00000002.556730213.0000000001620000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: PO#042.exe, 0000000B.00000002.556730213.0000000001620000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: PO#042.exe, 0000000B.00000002.556730213.0000000001620000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PO#042.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_010FAF9A GetUserNameW,
        Source: C:\Users\user\Desktop\PO#042.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\PO#042.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\PO#042.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected MailPassViewShow sources
        Source: Yara matchFile source: 11.2.PO#042.exe.43ba8e0.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.43ba8e0.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.3154bf4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40d7df0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40e6694.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40dca8f.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.317546c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.3160e00.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.558192518.00000000043BA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTR
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 11.2.PO#042.exe.40d7df0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40dca8f.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTR
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.442f8c0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fbeac4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fc30ed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.5ab4629.14.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.5ab0000.15.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fbeac4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.PO#042.exe.450f8c0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.5ab0000.15.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.4515f40.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fb9c8e.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40d7df0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40e6694.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40dca8f.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.PO#042.exe.450f8c0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.4490d30.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.442f8c0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.301904018.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.327764253.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.326127526.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.553259676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.303219427.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.327281473.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.305672479.0000000004331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.302397117.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.342567013.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.302780129.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6708, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 5768, type: MEMORYSTR
        Yara detected WebBrowserPassView password recovery toolShow sources
        Source: Yara matchFile source: 11.2.PO#042.exe.7181ea8.25.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.3154bf4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.7181ea8.25.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.317546c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.3160e00.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: PO#042.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000000.301904018.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000002.557389681.00000000030D1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000002.557389681.00000000030D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: PO#042.exe, 0000000B.00000002.560554791.00000000064D0000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000002.560527009.00000000064C0000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000002.560629867.0000000006510000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000002.557931863.0000000004200000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000002.560312852.0000000006470000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000002.560217789.0000000006450000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000002.559222634.0000000005700000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000002.559222634.0000000005700000.00000004.00020000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: PO#042.exe, 0000000B.00000002.560367349.0000000006490000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000B.00000003.525896857.0000000004427000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: PO#042.exe, 00000011.00000002.342567013.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PO#042.exe, 00000011.00000002.342567013.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 11.2.PO#042.exe.40d7df0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40dca8f.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTR
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.442f8c0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fbeac4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fc30ed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.5ab4629.14.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.5ab0000.15.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fbeac4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.PO#042.exe.450f8c0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.5ab0000.15.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.4515f40.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.PO#042.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.PO#042.exe.3fb9c8e.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.PO#042.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40d7df0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40e6694.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.PO#042.exe.40dca8f.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.PO#042.exe.450f8c0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.4490d30.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PO#042.exe.442f8c0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.301904018.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.327764253.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.326127526.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.553259676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.303219427.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.327281473.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.305672479.0000000004331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.302397117.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.342567013.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.302780129.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6576, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 6708, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PO#042.exe PID: 5768, type: MEMORYSTR
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_05222B2E bind,
        Source: C:\Users\user\Desktop\PO#042.exeCode function: 11_2_05222ADC bind,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture11Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information2Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery211Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion21Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol21Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 528392 Sample: PO#042.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 16 other signatures 2->48 8 PO#042.exe 6 2->8         started        12 PO#042.exe 4 2->12         started        process3 file4 32 C:\Users\user\AppData\...\qCsCiBEHcy.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\tmp5821.tmp, XML 8->34 dropped 36 C:\Users\user\AppData\...\PO#042.exe.log, ASCII 8->36 dropped 50 Uses schtasks.exe or at.exe to add and modify task schedules 8->50 52 Injects a PE file into a foreign processes 8->52 14 PO#042.exe 11 8->14         started        18 schtasks.exe 1 8->18         started        20 schtasks.exe 1 12->20         started        22 PO#042.exe 2 12->22         started        signatures5 process6 dnsIp7 40 rickjohssn.ddns.net 194.5.97.207, 49715, 49716, 49719 DANILENKODE Netherlands 14->40 38 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 14->38 dropped 24 schtasks.exe 1 14->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        file8 process9 process10 30 conhost.exe 24->30         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PO#042.exe25%ReversingLabsByteCode-MSIL.Trojan.Taskun
        PO#042.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\qCsCiBEHcy.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\qCsCiBEHcy.exe33%ReversingLabsByteCode-MSIL.Trojan.Taskun

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        17.0.PO#042.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.PO#042.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.PO#042.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        17.0.PO#042.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.PO#042.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        17.0.PO#042.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        17.0.PO#042.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        17.2.PO#042.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.PO#042.exe.5ab0000.15.unpack100%AviraTR/NanoCore.fadteDownload File
        11.0.PO#042.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.PO#042.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        17.0.PO#042.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.PO#042.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        rickjohssn.ddns.net1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.sajatypeworks.comn-u0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/tali0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.founder.com.cn/cnI0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.fontbureau.comdia0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/den0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sajatypeworks.come0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/S0%URL Reputationsafe
        http://www.tiro.comslnt0%URL Reputationsafe
        http://www.carterandcone.comTC0%URL Reputationsafe
        http://www.tiro.comt0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/sl-s0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/J0%URL Reputationsafe
        http://www.carterandcone.comt0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/v0%URL Reputationsafe
        http://www.carterandcone.comn0%URL Reputationsafe
        rickjohssn.ddns.net0%Avira URL Cloudsafe
        http://www.carterandcone.comm0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/u0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0_0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
        http://www.sajatypeworks.comQx0%Avira URL Cloudsafe
        http://www.fontbureau.comcea0%Avira URL Cloudsafe
        http://www.fontbureau.comm0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
        http://www.tiro.comh0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        rickjohssn.ddns.net
        		194.5.97.207
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        true
        • Avira URL Cloud: safe
        		low
        rickjohssn.ddns.nettrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersGPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
          		high
          http://www.fontbureau.com/designers/?PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bThePO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
              		high
              http://www.sajatypeworks.comn-uPO#042.exe, 00000001.00000003.281791395.00000000057CB000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp/taliPO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.tiro.comPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283148319.00000000057ED000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283615381.00000000057BB000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283582203.00000000057C0000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designersPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                		high
                http://www.goodfont.co.krPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cnIPO#042.exe, 00000001.00000003.282808376.00000000057BE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.282795054.00000000057B9000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comdiaPO#042.exe, 00000001.00000002.307335981.00000000057B0000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.303866518.00000000057B0000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netDPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cThePO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmPO#042.exe, 00000001.00000003.289347056.00000000057DD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289209887.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289491308.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289434100.00000000057DD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289252631.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289462709.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289299576.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289393307.00000000057DD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289528892.00000000057DE000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://fontfabrik.comPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/denPO#042.exe, 00000001.00000003.289648753.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289683056.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289611501.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289727607.00000000057DE000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.289565689.00000000057DE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/DPleasePO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/Y0PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fonts.comPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                  		high
                  http://www.sandoll.co.krPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.deDPleasePO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.nirsoft.net/PO#042.exe, 0000000B.00000002.558192518.00000000043BA000.00000004.00000001.sdmp, PO#042.exe, 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmpfalse
                    		high
                    http://www.zhongyicts.com.cnPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comePO#042.exe, 00000001.00000003.281791395.00000000057CB000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sakkal.comPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/XPO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlfPO#042.exe, 00000001.00000003.286852394.00000000057E0000.00000004.00000001.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/SPO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comslntPO#042.exe, 00000001.00000003.283641891.00000000057BC000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283615381.00000000057BB000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283582203.00000000057C0000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comTCPO#042.exe, 00000001.00000003.283635798.00000000057B2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comtPO#042.exe, 00000001.00000003.283148319.00000000057ED000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/sl-sPO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/JPO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comtPO#042.exe, 00000001.00000003.283635798.00000000057B2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/jp/PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/jp/vPO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comnPO#042.exe, 00000001.00000003.283635798.00000000057B2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.commPO#042.exe, 00000001.00000003.283635798.00000000057B2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cnPO#042.exe, 00000001.00000003.282957394.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.282795054.00000000057B9000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlPO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/uPO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/tPO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlPO#042.exe, 00000001.00000003.287410020.00000000057E0000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/0_PO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/oPO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comQxPO#042.exe, 00000001.00000003.281791395.00000000057CB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comceaPO#042.exe, 00000001.00000002.307335981.00000000057B0000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.303866518.00000000057B0000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.commPO#042.exe, 00000001.00000002.307335981.00000000057B0000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.303866518.00000000057B0000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/kPO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8PO#042.exe, 00000001.00000002.307887554.00000000069C2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/dPO#042.exe, 00000001.00000003.284053472.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283915114.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284179443.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284063374.00000000057BF000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284128204.00000000057B2000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.284349269.00000000057BD000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.tiro.comhPO#042.exe, 00000001.00000003.283702854.00000000057BD000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283641891.00000000057BC000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283615381.00000000057BB000.00000004.00000001.sdmp, PO#042.exe, 00000001.00000003.283582203.00000000057C0000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  194.5.97.207
                                  		rickjohssn.ddns.netNetherlands
                                  		208476DANILENKODEtrue

                                  General Information

                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:528392
                                  Start date:25.11.2021
                                  Start time:08:12:29
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 11m 27s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:PO#042.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:31
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@15/10@15/1
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 0.6% (good quality ratio 0.6%)
                                  • Quality average: 67.7%
                                  • Quality standard deviation: 14.2%
                                  HCA Information:
                                  • Successful, ratio: 98%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                  • TCP Packets have been reduced to 100
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  08:13:27API Interceptor2x Sleep call for process: PO#042.exe modified
                                  08:13:35Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\PO#042.exe" s>$(Arg0)

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  194.5.97.207RzUbuIerbF.exeGet hashmaliciousBrowse
                                    NOA MU21S0029729.exeGet hashmaliciousBrowse
                                      SK202-8 #YN12-60387.exeGet hashmaliciousBrowse
                                        a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exeGet hashmaliciousBrowse
                                          3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exeGet hashmaliciousBrowse
                                            5zLV4brBQ7.exeGet hashmaliciousBrowse
                                              Bank Information.exeGet hashmaliciousBrowse

                                                Domains

                                                No context

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                DANILENKODEOriginal Bill of Lading_xls.exeGet hashmaliciousBrowse
                                                • 194.5.97.128
                                                NEUE BESTELLUNG 132542,pdf.exeGet hashmaliciousBrowse
                                                • 194.5.97.23
                                                Purchase Order.exeGet hashmaliciousBrowse
                                                • 194.5.97.210
                                                PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeGet hashmaliciousBrowse
                                                • 194.5.98.48
                                                purchase order Nl32855 (1).exeGet hashmaliciousBrowse
                                                • 194.5.98.139
                                                8mTwU7uNFV.exeGet hashmaliciousBrowse
                                                • 194.5.97.131
                                                KNpmkMT5f3.exeGet hashmaliciousBrowse
                                                • 194.5.98.12
                                                scvRj4lo1E.exeGet hashmaliciousBrowse
                                                • 194.5.98.11
                                                #RFQ ORDER484425083-NJ.exeGet hashmaliciousBrowse
                                                • 194.5.98.120
                                                RzUbuIerbF.exeGet hashmaliciousBrowse
                                                • 194.5.97.207
                                                SIGNED_COPY_IMG_ORDER_...REQUEST_IMG_123456.exeGet hashmaliciousBrowse
                                                • 194.5.98.5
                                                NOA MU21S0029729.exeGet hashmaliciousBrowse
                                                • 194.5.97.207
                                                New purchase order 4940009190,pdf.exeGet hashmaliciousBrowse
                                                • 194.5.97.23
                                                Fattura_del_cliente_V406307-scan.exeGet hashmaliciousBrowse
                                                • 194.5.97.165
                                                ML822VOG-R11.docGet hashmaliciousBrowse
                                                • 194.5.97.131
                                                6Xzgfme0z6.exeGet hashmaliciousBrowse
                                                • 194.5.97.131
                                                ESTADO+10+DE+NOVIEMBRE+DE+2021-101121.pdf.jsGet hashmaliciousBrowse
                                                • 194.5.98.48
                                                RTQFHtPW9x.exeGet hashmaliciousBrowse
                                                • 194.5.98.107
                                                Document#053681.exeGet hashmaliciousBrowse
                                                • 194.5.98.204
                                                4vo6jE1nlG.exeGet hashmaliciousBrowse
                                                • 194.5.97.54

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PO#042.exe.log
                                                Process:C:\Users\user\Desktop\PO#042.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):525
                                                Entropy (8bit):5.2874233355119316
                                                Encrypted:false
                                                SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                C:\Users\user\AppData\Local\Temp\tmp5821.tmp
                                                Process:C:\Users\user\Desktop\PO#042.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1643
                                                Entropy (8bit):5.1926346339507825
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3tn:cbh47TlNQ//rydbz9I3YODOLNdq37
                                                MD5:BC9DDCAFECB58D40C63482034EAAE2AF
                                                SHA1:131776F663E55D39485741E3035EE8F38F74B65F
                                                SHA-256:698B96E1DBB7D6C1B6531750D43BBDCEB0638CEA37F6CFCC3EFC9878C769F5A7
                                                SHA-512:02A61BB90F0F748D118B9254BDCE6029C01B1DB59581921CD65BFB37DB4F1127F4DFBD93564CC289F238312C7678F070FDB0055241528BF61C1DC41A552FD8DA
                                                Malicious:true
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                C:\Users\user\AppData\Local\Temp\tmp82EA.tmp
                                                Process:C:\Users\user\Desktop\PO#042.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1643
                                                Entropy (8bit):5.1926346339507825
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3tn:cbh47TlNQ//rydbz9I3YODOLNdq37
                                                MD5:BC9DDCAFECB58D40C63482034EAAE2AF
                                                SHA1:131776F663E55D39485741E3035EE8F38F74B65F
                                                SHA-256:698B96E1DBB7D6C1B6531750D43BBDCEB0638CEA37F6CFCC3EFC9878C769F5A7
                                                SHA-512:02A61BB90F0F748D118B9254BDCE6029C01B1DB59581921CD65BFB37DB4F1127F4DFBD93564CC289F238312C7678F070FDB0055241528BF61C1DC41A552FD8DA
                                                Malicious:false
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                C:\Users\user\AppData\Local\Temp\tmpE454.tmp
                                                Process:C:\Users\user\Desktop\PO#042.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1296
                                                Entropy (8bit):5.109973900909971
                                                Encrypted:false
                                                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0j8xtn:cbk4oL600QydbQxIYODOLedq3W8j
                                                MD5:4F1801BE0F2561BC7A685C90F44B571A
                                                SHA1:E9BC36FE56E489EBAD5C03FA84E43C4FFCD6AFF5
                                                SHA-256:CEA799752CC5190FD0C0A5138C56CC9ADFDFAD966C05E8AEEAE865EADEC8F6F0
                                                SHA-512:EE4CCF6BF2CBFEEB5D409513C241E2DB7B90EAC7EF7F55BD63F923B9739A0A02E721ED8D48125A9EA3EAD49F65695D7A87968882CD46BAD491D6F99732D42193
                                                Malicious:false
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                Process:C:\Users\user\Desktop\PO#042.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):128
                                                Entropy (8bit):6.527114648336088
                                                Encrypted:false
                                                SSDEEP:3:XrURGizD7cnRH5/ljRAaTlKYrI1Sj9txROIsxcMek2:X4LDAn1rplKTYBROIsxek2
                                                MD5:0A9C5EAE8756D6FC90F59D8D71A79E1E
                                                SHA1:0F7D6AAED17CD18DC614535ED26335C147E29ED7
                                                SHA-256:B1921EA14C66927397BAF3FA456C22B93C30C3DE23546087C0B18551CE5001C5
                                                SHA-512:78C2F399AC49C78D89915DFF99AC955B5E0AB07BAAD61B07B0CE073C88C1D3A9F1D302C2413691B349DD34441B0FF909C08A4F71E2F1B73F46C1FF308BC7CF9A
                                                Malicious:false
                                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P.OT....g.t......'7......)..8zII..K/....n3...3.5.......&.7].)..wL...:}g...@...mV.....JUP...w
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                Process:C:\Users\user\Desktop\PO#042.exe
                                                File Type:Non-ISO extended-ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):8
                                                Entropy (8bit):3.0
                                                Encrypted:false
                                                SSDEEP:3:PiLq:aLq
                                                MD5:BCC68C34BF7F957C15E590FA3E88242F
                                                SHA1:FD65CAE12EF03CDE4ECE60562608A99F9588D600
                                                SHA-256:D60E408E5A510870813F09E7F9A5C62D0B4F6C0B15C016C8AC78C8EB896DA1C3
                                                SHA-512:A6378EF4B54598249B39DC58D2AE364C53C3FDA287A7F0D86B40F80A61299649F9E8A5B307C4456B1E684B639344F9C21A7094A48DE5857FBD25D30B60936A88
                                                Malicious:true
                                                Preview: z.2....H
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                Process:C:\Users\user\Desktop\PO#042.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):40
                                                Entropy (8bit):5.153055907333276
                                                Encrypted:false
                                                SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                MD5:4E5E92E2369688041CC82EF9650EDED2
                                                SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                Malicious:false
                                                Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                Process:C:\Users\user\Desktop\PO#042.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):367496
                                                Entropy (8bit):7.999535722214108
                                                Encrypted:true
                                                SSDEEP:6144:3rv1Xjouu5ZMQajChQSE0Rp30gbdoh5Y2cmSPCqA9BCNHku9BdFqB3GbiCX:D1TousJSafd6imJd8EeBdF7biCX
                                                MD5:4D784935677AE26ACDC3FB84FA1E6CF8
                                                SHA1:4B143D26638C2BE44BE05D862E5CD1BEA3664825
                                                SHA-256:C77E2D82DB9066E4DBFDE3AE0461A4259505F435EC0DB2CE3BD005BE0E2DE67C
                                                SHA-512:193295AB3FBCE6BA4A563DD864839F5D7A3B8F351F576DE2C85E2F3978F3E33EF22299224DFD7D2F5506A2CAFB04656E19676F28B21F19C504B2D43921063554
                                                Malicious:false
                                                Preview: ..m.....%.8C......o`.M..d....mvW5].N ...c....m.b..1^J@....M.!.aq.f....<....._..;i.1-+.wZ..C@Z...> .P9.K..[~....1.......#.Djp...q..z..HoR/..8....k.......\.7..c..]_....._F.....3Z.9U........r..8..]..%n..Q..^<s`L{. ..9.o..wU33z...hJG..!..a.?mI...}.H}...o.Zs`.....~..x....".7.{....k.>. @X.\j........57..C..f.v...:..Q<.B.o..x..s}\.`....z..E@$.!.}}.&.VI........Y.....gU..b.b..l..Bg....bh.$.....f.B...e.f...a.....v.....9..x.#.......*[......=.T#.,.6.uN.........D.jdQ..go.T..+..N.U-.w.a..6 C.5.vMy....S...V...I..:..v2..V..................G..P K.{.&............o...q......`~.i8........+k.F...o.$TP....l.......;T..3.a.u.f..)...4b...-.r.&(<....'....n.[...b....k....W.Vp..G`..~..."k....Y../l3`....u_.L...#.....;....m.cV.|.:........#..P9;....Q..*F.._%.f..0...'.z.i..#;.X=.utJ...)9".......k..E..K...\..cc-..8<..f.T!{..c....S`4{....D2..s.....)`.h.;.QQ^mP.M77.'M.....q C).l....<..]QA.,...p......4..XQ.xu.w.z..g~.%M.....D...!.h.F.$~.....n%'.lt..E...h=......).?......N.K?.M.48..
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                Process:C:\Users\user\Desktop\PO#042.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):33
                                                Entropy (8bit):4.35485207383835
                                                Encrypted:false
                                                SSDEEP:3:oNWXp5v1qC4An:oNWXpFgC4An
                                                MD5:14FF4FB46A04E960CC58BA22CB62A191
                                                SHA1:C586A0EFD442B6D00FC49C2E225EDF9170A3D3A1
                                                SHA-256:371038D01254CF846F9B88263579B6B1808152C154CA42ED436F8831DAB8E971
                                                SHA-512:1FEB71C24BDAEEF54DC5C4BF9D627CA4F31C05AF52E1153F458DB8C068FDCE47057169E947322879CC1875AF4DD33892958F954D9DFA20B84273C5B47FC00FB3
                                                Malicious:false
                                                Preview: C:\Users\user\Desktop\PO#042.exe
                                                C:\Users\user\AppData\Roaming\qCsCiBEHcy.exe
                                                Process:C:\Users\user\Desktop\PO#042.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):441344
                                                Entropy (8bit):7.961902355627955
                                                Encrypted:false
                                                SSDEEP:12288:zZYWUs9aNUDmR+SDZdzVbC0cy4d5cwXEzXtfya3:NDU+dm4ozVbClLd5rXgMa3
                                                MD5:081EC29DD4DF8134F1F0C51F5620DD1A
                                                SHA1:A41A3E4874F2DEDCC28A732F12C2A9E0EFC84995
                                                SHA-256:D9AA3E1081C4300AB2C24DF237E2CE1F3D66E0C1B8856A2A01D5B95449DCCF58
                                                SHA-512:218A57098C4F3069158C3F9340803BF344D16862F1ED91A74CC4CC62EF77B1A9DD9FDEAF37973677622D8F81393048C7A340EDDF6B2F90C7C7539223E29E4564
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 33%
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a................................. ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........9......j...dQ..lE..........................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....oh...*..{....*.s..

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.961902355627955
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:PO#042.exe
                                                File size:441344
                                                MD5:081ec29dd4df8134f1f0c51f5620dd1a
                                                SHA1:a41a3e4874f2dedcc28a732f12c2a9e0efc84995
                                                SHA256:d9aa3e1081c4300ab2c24df237e2ce1f3d66e0c1b8856a2a01d5b95449dccf58
                                                SHA512:218a57098c4f3069158c3f9340803bf344d16862f1ed91a74cc4cc62ef77b1a9dd9fdeaf37973677622d8f81393048c7a340eddf6b2f90c7c7539223e29e4564
                                                SSDEEP:12288:zZYWUs9aNUDmR+SDZdzVbC0cy4d5cwXEzXtfya3:NDU+dm4ozVbClLd5rXgMa3
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a................................. ........@.. ....................... ............@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x46d0de
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x619F149C [Thu Nov 25 04:44:12 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v2.0.50727
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x6d0840x57.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x580.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x700000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x6b0e40x6b200False0.967405374854data7.96966577385IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0x6e0000x5800x600False0.421223958333data4.45517854682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x700000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0x6e0a00x32cdata
                                                RT_MANIFEST0x6e3cc0x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright 2011
                                                Assembly Version1.0.0.0
                                                InternalNamejqHcjoY.exe
                                                FileVersion1.0.0.0
                                                CompanyName
                                                LegalTrademarks
                                                Comments
                                                ProductNameFileReplacement
                                                ProductVersion1.0.0.0
                                                FileDescriptionFileReplacement
                                                OriginalFilenamejqHcjoY.exe

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                11/25/21-08:13:37.483234UDP254DNS SPOOF query response with TTL of 1 min. and no authority53528068.8.8.8192.168.2.3
                                                11/25/21-08:13:44.167242UDP254DNS SPOOF query response with TTL of 1 min. and no authority53539108.8.8.8192.168.2.3
                                                11/25/21-08:13:50.712939UDP254DNS SPOOF query response with TTL of 1 min. and no authority53607848.8.8.8192.168.2.3
                                                11/25/21-08:13:56.812547UDP254DNS SPOOF query response with TTL of 1 min. and no authority53511438.8.8.8192.168.2.3

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 25, 2021 08:13:37.501315117 CET497155612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:13:37.749361992 CET561249715194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:13:38.267764091 CET497155612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:13:38.569212914 CET561249715194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:13:39.078035116 CET497155612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:13:40.082645893 CET561249715194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:13:44.170156002 CET497165612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:13:45.261384010 CET561249716194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:13:45.766047955 CET497165612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:13:45.951438904 CET561249716194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:13:46.453572989 CET497165612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:13:46.684612036 CET561249716194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:13:50.760468960 CET497195612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:13:50.953372002 CET561249719194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:13:51.454020977 CET497195612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:13:51.640208006 CET561249719194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:13:52.141618013 CET497195612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:13:52.398296118 CET561249719194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:13:56.818705082 CET497205612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:13:57.038470984 CET561249720194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:13:57.548381090 CET497205612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:13:57.843475103 CET561249720194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:13:58.354196072 CET497205612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:13:58.631485939 CET561249720194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:02.670135975 CET497215612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:04.112571955 CET561249721194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:04.627042055 CET497215612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:04.907907009 CET561249721194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:05.423939943 CET497215612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:05.611500025 CET561249721194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:09.652064085 CET497225612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:10.962426901 CET561249722194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:11.471369028 CET497225612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:11.761224985 CET561249722194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:12.268296957 CET497225612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:12.466370106 CET561249722194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:16.529202938 CET497305612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:16.780131102 CET561249730194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:17.299911022 CET497305612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:17.580354929 CET561249730194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:18.096894026 CET497305612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:18.298316956 CET561249730194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:22.356169939 CET497605612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:22.611099005 CET561249760194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:23.112919092 CET497605612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:23.300070047 CET561249760194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:23.800483942 CET497605612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:24.036930084 CET561249760194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:28.086972952 CET497615612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:28.289777994 CET561249761194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:28.801090956 CET497615612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:29.066287994 CET561249761194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:29.566582918 CET497615612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:29.769155025 CET561249761194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:34.678845882 CET497675612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:35.573529959 CET561249767194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:36.176511049 CET497675612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:36.367166042 CET561249767194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:36.879704952 CET497675612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:37.094341993 CET561249767194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:41.424279928 CET497705612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:41.647232056 CET561249770194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:42.161436081 CET497705612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:42.383279085 CET561249770194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:42.895812035 CET497705612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:43.097040892 CET561249770194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:47.138761044 CET497925612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:47.328600883 CET561249792194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:47.833817959 CET497925612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:48.109355927 CET561249792194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:48.615087986 CET497925612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:48.824681997 CET561249792194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:53.031989098 CET497935612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:53.230340958 CET561249793194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:53.740556955 CET497935612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:54.044800043 CET561249793194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:54.553059101 CET497935612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:54.752337933 CET561249793194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:58.783442020 CET497945612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:14:58.968127012 CET561249794194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:14:59.475442886 CET497945612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:15:00.640765905 CET561249794194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:15:01.147350073 CET497945612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:15:01.335067034 CET561249794194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:15:05.393634081 CET497965612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:15:07.834894896 CET561249796194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:15:07.835051060 CET497965612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:15:07.874651909 CET497965612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:15:08.114296913 CET561249796194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:15:08.163642883 CET497965612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:15:08.285837889 CET497965612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:15:08.654582024 CET561249796194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:15:08.654736042 CET497965612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:15:08.665041924 CET561249796194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:15:08.665087938 CET561249796194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:15:08.710542917 CET497965612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:15:08.806363106 CET497965612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:15:09.274377108 CET561249796194.5.97.207192.168.2.3
                                                Nov 25, 2021 08:15:09.277383089 CET497965612192.168.2.3194.5.97.207
                                                Nov 25, 2021 08:15:09.499845982 CET561249796194.5.97.207192.168.2.3

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 25, 2021 08:13:37.462006092 CET5280653192.168.2.38.8.8.8
                                                Nov 25, 2021 08:13:37.483233929 CET53528068.8.8.8192.168.2.3
                                                Nov 25, 2021 08:13:44.144660950 CET5391053192.168.2.38.8.8.8
                                                Nov 25, 2021 08:13:44.167242050 CET53539108.8.8.8192.168.2.3
                                                Nov 25, 2021 08:13:50.691493034 CET6078453192.168.2.38.8.8.8
                                                Nov 25, 2021 08:13:50.712939024 CET53607848.8.8.8192.168.2.3
                                                Nov 25, 2021 08:13:56.790839911 CET5114353192.168.2.38.8.8.8
                                                Nov 25, 2021 08:13:56.812546968 CET53511438.8.8.8192.168.2.3
                                                Nov 25, 2021 08:14:02.647743940 CET5600953192.168.2.38.8.8.8
                                                Nov 25, 2021 08:14:02.667552948 CET53560098.8.8.8192.168.2.3
                                                Nov 25, 2021 08:14:09.630845070 CET5902653192.168.2.38.8.8.8
                                                Nov 25, 2021 08:14:09.650866032 CET53590268.8.8.8192.168.2.3
                                                Nov 25, 2021 08:14:16.508111954 CET4955953192.168.2.38.8.8.8
                                                Nov 25, 2021 08:14:16.527796984 CET53495598.8.8.8192.168.2.3
                                                Nov 25, 2021 08:14:22.335279942 CET5072853192.168.2.38.8.8.8
                                                Nov 25, 2021 08:14:22.354964018 CET53507288.8.8.8192.168.2.3
                                                Nov 25, 2021 08:14:28.067934036 CET5377753192.168.2.38.8.8.8
                                                Nov 25, 2021 08:14:28.085798025 CET53537778.8.8.8192.168.2.3
                                                Nov 25, 2021 08:14:34.565203905 CET6035253192.168.2.38.8.8.8
                                                Nov 25, 2021 08:14:34.585793972 CET53603528.8.8.8192.168.2.3
                                                Nov 25, 2021 08:14:41.381736994 CET5677353192.168.2.38.8.8.8
                                                Nov 25, 2021 08:14:41.401089907 CET53567738.8.8.8192.168.2.3
                                                Nov 25, 2021 08:14:47.116056919 CET6098253192.168.2.38.8.8.8
                                                Nov 25, 2021 08:14:47.137159109 CET53609828.8.8.8192.168.2.3
                                                Nov 25, 2021 08:14:53.009850025 CET5805853192.168.2.38.8.8.8
                                                Nov 25, 2021 08:14:53.030652046 CET53580588.8.8.8192.168.2.3
                                                Nov 25, 2021 08:14:58.762325048 CET6436753192.168.2.38.8.8.8
                                                Nov 25, 2021 08:14:58.781963110 CET53643678.8.8.8192.168.2.3
                                                Nov 25, 2021 08:15:05.371923923 CET5539353192.168.2.38.8.8.8
                                                Nov 25, 2021 08:15:05.392036915 CET53553938.8.8.8192.168.2.3

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Nov 25, 2021 08:13:37.462006092 CET192.168.2.38.8.8.80x394bStandard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:13:44.144660950 CET192.168.2.38.8.8.80x716dStandard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:13:50.691493034 CET192.168.2.38.8.8.80xeff5Standard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:13:56.790839911 CET192.168.2.38.8.8.80x975dStandard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:02.647743940 CET192.168.2.38.8.8.80xdffeStandard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:09.630845070 CET192.168.2.38.8.8.80x27b9Standard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:16.508111954 CET192.168.2.38.8.8.80xefb6Standard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:22.335279942 CET192.168.2.38.8.8.80x9963Standard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:28.067934036 CET192.168.2.38.8.8.80x7366Standard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:34.565203905 CET192.168.2.38.8.8.80x6660Standard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:41.381736994 CET192.168.2.38.8.8.80x725aStandard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:47.116056919 CET192.168.2.38.8.8.80x134Standard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:53.009850025 CET192.168.2.38.8.8.80xfe7dStandard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:58.762325048 CET192.168.2.38.8.8.80x48d8Standard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)
                                                Nov 25, 2021 08:15:05.371923923 CET192.168.2.38.8.8.80x2979Standard query (0)rickjohssn.ddns.netA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Nov 25, 2021 08:13:37.483233929 CET8.8.8.8192.168.2.30x394bNo error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:13:44.167242050 CET8.8.8.8192.168.2.30x716dNo error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:13:50.712939024 CET8.8.8.8192.168.2.30xeff5No error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:13:56.812546968 CET8.8.8.8192.168.2.30x975dNo error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:02.667552948 CET8.8.8.8192.168.2.30xdffeNo error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:09.650866032 CET8.8.8.8192.168.2.30x27b9No error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:16.527796984 CET8.8.8.8192.168.2.30xefb6No error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:22.354964018 CET8.8.8.8192.168.2.30x9963No error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:28.085798025 CET8.8.8.8192.168.2.30x7366No error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:34.585793972 CET8.8.8.8192.168.2.30x6660No error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:41.401089907 CET8.8.8.8192.168.2.30x725aNo error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:47.137159109 CET8.8.8.8192.168.2.30x134No error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:53.030652046 CET8.8.8.8192.168.2.30xfe7dNo error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:14:58.781963110 CET8.8.8.8192.168.2.30x48d8No error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)
                                                Nov 25, 2021 08:15:05.392036915 CET8.8.8.8192.168.2.30x2979No error (0)rickjohssn.ddns.net194.5.97.207A (IP address)IN (0x0001)

                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: PO#042.exe PID: 7120 Parent PID: 4864

                                                General

                                                Start time:08:13:21
                                                Start date:25/11/2021
                                                Path:C:\Users\user\Desktop\PO#042.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\PO#042.exe"
                                                Imagebase:0xce0000
                                                File size:441344 bytes
                                                MD5 hash:081EC29DD4DF8134F1F0C51F5620DD1A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.305672479.0000000004331000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.305672479.0000000004331000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.305672479.0000000004331000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Analysis Process: schtasks.exe PID: 6516 Parent PID: 7120

                                                General

                                                Start time:08:13:29
                                                Start date:25/11/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp5821.tmp
                                                Imagebase:0xb0000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 6528 Parent PID: 6516

                                                General

                                                Start time:08:13:30
                                                Start date:25/11/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7f20f0000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: PO#042.exe PID: 6576 Parent PID: 7120

                                                General

                                                Start time:08:13:30
                                                Start date:25/11/2021
                                                Path:C:\Users\user\Desktop\PO#042.exe
                                                Wow64 process (32bit):true
                                                Commandline:{path}
                                                Imagebase:0x8c0000
                                                File size:441344 bytes
                                                MD5 hash:081EC29DD4DF8134F1F0C51F5620DD1A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.301904018.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.301904018.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.301904018.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.560554791.00000000064D0000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.560554791.00000000064D0000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.560896197.0000000007131000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.553259676.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.553259676.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.553259676.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.303219427.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.303219427.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.303219427.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.560527009.00000000064C0000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.560527009.00000000064C0000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.557454662.000000000312D000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.560629867.0000000006510000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.560629867.0000000006510000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.559477519.0000000005AB0000.00000004.00020000.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.302397117.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.302397117.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.302397117.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.558192518.00000000043BA000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000002.557801624.00000000040D1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.560816658.0000000006931000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.560312852.0000000006470000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.560312852.0000000006470000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.560217789.0000000006450000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.560217789.0000000006450000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.302780129.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.302780129.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.302780129.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.560367349.0000000006490000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.560367349.0000000006490000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.559222634.0000000005700000.00000004.00020000.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.559222634.0000000005700000.00000004.00020000.sdmp, Author: Florian Roth
                                                Reputation:low

                                                Analysis Process: schtasks.exe PID: 6488 Parent PID: 6576

                                                General

                                                Start time:08:13:33
                                                Start date:25/11/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE454.tmp
                                                Imagebase:0xb0000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 6400 Parent PID: 6488

                                                General

                                                Start time:08:13:34
                                                Start date:25/11/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7f20f0000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: PO#042.exe PID: 6708 Parent PID: 664

                                                General

                                                Start time:08:13:35
                                                Start date:25/11/2021
                                                Path:C:\Users\user\Desktop\PO#042.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\PO#042.exe 0
                                                Imagebase:0xd90000
                                                File size:441344 bytes
                                                MD5 hash:081EC29DD4DF8134F1F0C51F5620DD1A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.330166499.0000000004411000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Analysis Process: schtasks.exe PID: 3576 Parent PID: 6708

                                                General

                                                Start time:08:13:40
                                                Start date:25/11/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qCsCiBEHcy" /XML "C:\Users\user\AppData\Local\Temp\tmp82EA.tmp
                                                Imagebase:0xb0000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 3672 Parent PID: 3576

                                                General

                                                Start time:08:13:41
                                                Start date:25/11/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7f20f0000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: PO#042.exe PID: 5768 Parent PID: 6708

                                                General

                                                Start time:08:13:42
                                                Start date:25/11/2021
                                                Path:C:\Users\user\Desktop\PO#042.exe
                                                Wow64 process (32bit):true
                                                Commandline:{path}
                                                Imagebase:0x960000
                                                File size:441344 bytes
                                                MD5 hash:081EC29DD4DF8134F1F0C51F5620DD1A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.341913940.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000011.00000000.326594390.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000000.327764253.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000000.327764253.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000011.00000000.327764253.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000000.326127526.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000000.326127526.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000011.00000000.326127526.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000000.327281473.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000000.327281473.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000011.00000000.327281473.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.342636302.0000000003F71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.342567013.0000000002F71000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.342567013.0000000002F71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Disassembly

                                                Code Analysis

                                                Reset < >