Loading ...

Play interactive tourEdit tour

Windows Analysis Report TT#U007e)9383763563783039847949N.cmd.exe

Overview

General Information

Sample Name:TT#U007e)9383763563783039847949N.cmd.exe
Analysis ID:552771
MD5:398e8790480f654b4d677847ba454560
SHA1:5cf48784813136868bdf1d995500056eaeb702a2
SHA256:c839234f96d6ce5d83f511ff6aa0d0afc7a680bc478c81416592c981bb066058
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • TT#U007e)9383763563783039847949N.cmd.exe (PID: 6280 cmdline: "C:\Users\user\Desktop\TT#U007e)9383763563783039847949N.cmd.exe" MD5: 398E8790480F654B4D677847BA454560)
    • powershell.exe (PID: 6768 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wUDpvSE.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6788 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wUDpvSE" /XML "C:\Users\user\AppData\Local\Temp\tmp1EE6.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6956 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • schtasks.exe (PID: 2672 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp3840.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 3724 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp42FF.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 476 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6636 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 3748 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "423b1032-a4e4-4490-8998-68a509ca", "Group": "", "Domain1": "55098hustlenow.hopto.org", "Domain2": "185.140.53.130", "Port": 55098, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.517211527.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.517211527.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000A.00000002.517211527.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000A.00000002.523432863.00000000059D0000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    0000000A.00000002.523432863.00000000059D0000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 29 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    10.2.RegSvcs.exe.41b4c55.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0x24178:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    • 0x241a5:$x2: IClientNetworkHost
    10.2.RegSvcs.exe.41b4c55.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xb184:$x2: NanoCore.ClientPluginHost
    • 0x24178:$x2: NanoCore.ClientPluginHost
    • 0xc25f:$s4: PipeCreated
    • 0x25253:$s4: PipeCreated
    • 0xb19e:$s5: IClientLoggingHost
    • 0x24192:$s5: IClientLoggingHost
    10.2.RegSvcs.exe.41b4c55.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0.2.TT#U007e)9383763563783039847949N.cmd.exe.3b2b8b0.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.TT#U007e)9383763563783039847949N.cmd.exe.3b2b8b0.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      Click to see the 59 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6956, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6956, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\TT#U007e)9383763563783039847949N.cmd.exe" , ParentImage: C:\Users\user\Desktop\TT#U007e)9383763563783039847949N.cmd.exe, ParentProcessId: 6280, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6956
      Sigma detected: Suspicius Add Task From User AppData TempShow sources
      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wUDpvSE" /XML "C:\Users\user\AppData\Local\Temp\tmp1EE6.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wUDpvSE" /XML "C:\Users\user\AppData\Local\Temp\tmp1EE6.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TT#U007e)9383763563783039847949N.cmd.exe" , ParentImage: C:\Users\user\Desktop\TT#U007e)9383763563783039847949N.cmd.exe, ParentProcessId: 6280, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wUDpvSE" /XML "C:\Users\user\AppData\Local\Temp\tmp1EE6.tmp, ProcessId: 6788
      Sigma detected: Powershell Defender ExclusionShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wUDpvSE.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wUDpvSE.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TT#U007e)9383763563783039847949N.cmd.exe" , ParentImage: C:\Users\user\Desktop\TT#U007e)9383763563783039847949N.cmd.exe, ParentProcessId: 6280, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wUDpvSE.exe, ProcessId: 6768
      Sigma detected: Possible Applocker BypassShow sources
      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\TT#U007e)9383763563783039847949N.cmd.exe" , ParentImage: C:\Users\user\Desktop\TT#U007e)9383763563783039847949N.cmd.exe, ParentProcessId: 6280, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6956
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wUDpvSE.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wUDpvSE.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TT#U007e)9383763563783039847949N.cmd.exe" , ParentImage: C:\Users\user\Desktop\TT#U007e)9383763563783039847949N.cmd.exe, ParentProcessId: 6280, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wUDpvSE.exe, ProcessId: 6768
      Sigma detected: T1086 PowerShell ExecutionShow sources
      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132865994266195793.6768.DefaultAppDomain.powershell

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6956, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6956, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000A.00000002.522152896.00000000041A9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "423b1032-a4e4-4490-8998-68a509ca", "Group": "", "Domain1": "55098hustlenow.hopto.org", "Domain2": "185.140.53.130", "Port": 55098, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: TT#U007e)9383763563783039847949N.cmd.exeVirustotal: Detection: 30%Perma Link
      Source: TT#U007e)9383763563783039847949N.cmd.exeReversingLabs: Detection: 31%
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: TT#U007e)9383763563783039847949N.cmd.exeAvira: detected
      Antivirus detection for URL or domainShow sources
      Source: 55098hustlenow.hopto.orgAvira URL Cloud: Label: malware
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\wUDpvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1211287
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\wUDpvSE.exeReversingLabs: Detection: 31%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 10.2.RegSvcs.exe.41b4c55.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TT#U007e)9383763563783039847949N.cmd.exe.3b2b8b0.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.5a70000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.5a74629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.41b062c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.41b062c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.5a70000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TT#U007e)9383763563783039847949N.cmd.exe.3af8c90.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.41ab7f6.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TT#U007e)9383763563783039847949N.cmd.exe.3af8c90.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TT#U007e)9383763563783039847949N.cmd.exe.3b2b8b0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000A.00000002.517211527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.524096119.0000000005A70000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.522152896.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000000.285492337.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000000.287299484.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000000.286086026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000000.286443560.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.291731877.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TT#U007e)9383763563783039847949N.cmd.exe PID: 6280, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6956, type: MEMORYSTR
      Machine Learning detection for sampleShow sources
      Source: TT#U007e)9383763563783039847949N.cmd.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\wUDpvSE.exeJoe Sandbox ML: detected
      Source: 10.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.2.RegSvcs.exe.5a70000.6.unpackAvira: Label: TR/NanoCore.fadte
      Source: 10.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: TT#U007e)9383763563783039847949N.cmd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: TT#U007e)9383763563783039847949N.cmd.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000A.00000003.292607922.0000000001506000.00000004.00000001.sdmp, dhcpmon.exe, 00000018.00000000.306676760.0000000000662000.00000002.00020000.sdmp, dhcpmon.exe, 0000001B.00000000.312590099.0000000000B12000.00000002.00020000.sdmp, dhcpmon.exe.10.dr
      Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe, 0000001B.00000000.312590099.0000000000B12000.00000002.00020000.sdmp, dhcpmon.exe.10.dr

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: 185.140.53.130
      Source: Malware configuration extractorURLs: 55098hustlenow.hopto.org
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: Joe Sandbox ViewIP Address: 185.140.53.130 185.140.53.130
      Source: global trafficTCP traffic: 192.168.2.7:49755 -> 185.140.53.130:55098
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.249304688.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.249546896.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.249369869.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.249269040.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.249512717.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000002.295196219.0000000006BD2000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.249418057.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.249341299.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.249321113.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000002.290448066.0000000002A11000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000002.290665928.0000000002B05000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000002.295196219.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.255594967.00000000059E3000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.255372335.00000000059E3000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.255496741.00000000059E3000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.255324735.00000000059E3000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.255846246.00000000059E3000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.255935438.00000000059E3000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.255251897.00000000059E3000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.255667936.00000000059E3000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.255752748.00000000059E3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.255251897.00000000059E3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html-KS
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253932756.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253588617.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253223941.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253482384.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253340411.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253553298.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253396882.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253482384.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com#
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253932756.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comEac
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253807964.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253890150.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253932756.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC8Zk
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253482384.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253340411.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comark
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253553298.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253396882.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254128575.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254203350.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253807964.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254045934.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254422402.00000000059E4000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253704993.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254268609.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254349036.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253641393.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253987229.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253890150.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253932756.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254438755.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253588617.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253482384.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253553298.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253482384.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexc
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254128575.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253807964.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254045934.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253987229.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253890150.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253932756.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comf
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253279851.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253223941.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253340411.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comh
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253279851.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253223941.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comi
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253553298.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253482384.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253279851.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253177386.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253223941.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253340411.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comintPM5
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253807964.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254045934.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253987229.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253890150.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253932756.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comk
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000002.295196219.0000000006BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253553298.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253396882.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253279851.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253704993.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253641393.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253588617.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253482384.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253340411.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlt
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253807964.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253987229.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253890150.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253932756.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comngH
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253807964.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253704993.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253890150.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253932756.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.4_
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254128575.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253807964.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254045934.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253704993.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253641393.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253987229.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253890150.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253932756.00000000059DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.Z
      Source: TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254545994.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254128575.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254203350.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254045934.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254422402.00000000059E4000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254268609.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254349036.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.254493580.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253987229.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9383763563783039847949N.cmd.exe, 00000000.00000003.253932756.00000000059DB000.00000004.00000001.sdmp, TT#U007e)9