Windows Analysis Report
yAbf8Z3qA5.exe

Overview

General Information

Sample Name: yAbf8Z3qA5.exe
Analysis ID: 557770
MD5: da3cb7622834a14916d498c1bd8a7827
SHA1: 2179db1ae11496ee06b62dff337986316dd298ea
SHA256: 78dd589c56a6d216f597f149bad69d510a88fb3257b4a643a7250381126d963c
Tags: exeNanoCoreRAT
Infos:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large strings
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: yAbf8Z3qA5.exe ReversingLabs: Detection: 39%
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\BYTkrh.exe ReversingLabs: Detection: 39%
Yara detected Nanocore RAT
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.5bb4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.cf8e8b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.cf8e8b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ebec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yAbf8Z3qA5.exe.c6030d8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ec3adb.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001E.00000000.448894082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.419515654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.447649220.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.448108468.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.439620816.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.630595587.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.422995956.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.420229761.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.380197922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.460735897.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.380861261.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.461004523.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.437479878.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.459203730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.440509698.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394239368.000000000C531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.444597183.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.418854563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.472005093.00000000045F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.623546911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.470493584.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.441490337.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.440223202.000000000D2E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.378603204.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.450070713.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.451069768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.383163459.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.471934462.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.462617842.000000000C461000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.455188416.000000000CEF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.448217064.0000000004611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yAbf8Z3qA5.exe PID: 6960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yAbf8Z3qA5.exe PID: 5964, type: MEMORYSTR
Machine Learning detection for sample
Source: yAbf8Z3qA5.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\BYTkrh.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 8.0.yAbf8Z3qA5.exe.400000.12.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.yAbf8Z3qA5.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.yAbf8Z3qA5.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.yAbf8Z3qA5.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.yAbf8Z3qA5.exe.400000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.yAbf8Z3qA5.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.unpack Avira: Label: TR/NanoCore.fadte

Compliance
barindex
Uses 32bit PE files
Source: yAbf8Z3qA5.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: yAbf8Z3qA5.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Windows\77vrr.pdb source: yAbf8Z3qA5.exe, 00000008.00000002.626720826.0000000002AE5000.00000004.00000040.sdmp
Source: Binary string: indows\77vrr.pdbpdbvrr.pdb source: yAbf8Z3qA5.exe, 00000008.00000002.626720826.0000000002AE5000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kbdlgKkIwF\src\obj\Debug\77vrr.pdbL source: yAbf8Z3qA5.exe, 00000000.00000002.394239368.000000000C531000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000000.349004657.0000000000022000.00000002.00020000.sdmp, yAbf8Z3qA5.exe, 00000007.00000000.373054168.0000000000122000.00000002.00020000.sdmp, yAbf8Z3qA5.exe, 00000008.00000000.380229783.0000000000792000.00000002.00020000.sdmp, yAbf8Z3qA5.exe, 0000000C.00000002.430138618.0000000000F32000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: yAbf8Z3qA5.exe, 00000008.00000002.630568364.0000000005BA0000.00000004.00020000.sdmp, yAbf8Z3qA5.exe, 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000008.00000002.626822295.0000000002E71000.00000004.00000001.sdmp
Source: Binary string: C:\Users\user\Desktop\77vrr.pdb source: yAbf8Z3qA5.exe, 00000008.00000002.626720826.0000000002AE5000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kbdlgKkIwF\src\obj\Debug\77vrr.pdb source: yAbf8Z3qA5.exe, yAbf8Z3qA5.exe, 0000000C.00000002.430138618.0000000000F32000.00000002.00020000.sdmp, dhcpmon.exe

Software Vulnerabilities
barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_02314930
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_02314920
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 4x nop then mov esp, ebp 8_2_050B8810
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 12_2_032747A8
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 12_2_03274798
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 15_2_018F489F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 15_2_018F48B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 15_2_018F4860

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 185.19.85.175 ports 0,1,2,4,5,50421
Source: global traffic TCP traffic: 197.210.64.245 ports 0,1,2,4,5,50421
Uses dynamic DNS services
Source: unknown DNS query: name: strongodss.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49755 -> 197.210.64.245:50421
Source: global traffic TCP traffic: 192.168.2.6:49760 -> 185.19.85.175:50421
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: unknown TCP traffic detected without corresponding DNS query: 185.19.85.175
Source: yAbf8Z3qA5.exe, 00000000.00000003.350523936.0000000004B19000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.354609078.0000000004B15000.00000004.00000001.sdmp String found in binary or memory: http://en.w
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: yAbf8Z3qA5.exe, 00000000.00000003.355947636.0000000004B4D000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.355902260.0000000004B4D000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.356028041.0000000004B4D000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: yAbf8Z3qA5.exe, 00000000.00000003.354635060.0000000004B17000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.354609078.0000000004B15000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.353584518.0000000004B16000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: yAbf8Z3qA5.exe, 00000000.00000003.353584518.0000000004B16000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com)
Source: yAbf8Z3qA5.exe, 00000000.00000003.353584518.0000000004B16000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comala
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: yAbf8Z3qA5.exe, 00000000.00000003.353584518.0000000004B16000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comm
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: yAbf8Z3qA5.exe, 00000000.00000003.358953165.0000000004B45000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.358983600.0000000004B45000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.358928287.0000000004B45000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.358873383.0000000004B45000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.358901732.0000000004B45000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html0
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: yAbf8Z3qA5.exe, 00000000.00000003.358506319.0000000004B45000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.358477439.0000000004B45000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.358532023.0000000004B45000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.353065872.0000000004B1B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: yAbf8Z3qA5.exe, 00000000.00000003.353084236.0000000004B15000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cny4i
Source: yAbf8Z3qA5.exe, 00000000.00000003.360074854.0000000004B45000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.360057596.0000000004B45000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/2
Source: yAbf8Z3qA5.exe, 00000000.00000003.360074854.0000000004B45000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.360057596.0000000004B45000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/4
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: yAbf8Z3qA5.exe, 00000000.00000003.355077180.0000000004B18000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: yAbf8Z3qA5.exe, 00000000.00000003.355077180.0000000004B18000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Fm
Source: yAbf8Z3qA5.exe, 00000000.00000003.355077180.0000000004B18000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Negr
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.355930974.0000000004B45000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.355896740.0000000004B45000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: yAbf8Z3qA5.exe, 00000000.00000003.355896740.0000000004B45000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.comH
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.354609078.0000000004B15000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: yAbf8Z3qA5.exe, 00000000.00000002.392850274.0000000005DA2000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000003.353584518.0000000004B16000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: yAbf8Z3qA5.exe, 00000000.00000003.353584518.0000000004B16000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: unknown DNS traffic detected: queries for: strongodss.ddns.net
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_051D3026 WSARecv, 8_2_051D3026

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a raw input device (often for capturing keystrokes)
Source: yAbf8Z3qA5.exe, 00000008.00000002.630595587.0000000005BB0000.00000004.00020000.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.5bb4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.cf8e8b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.cf8e8b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ebec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yAbf8Z3qA5.exe.c6030d8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ec3adb.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001E.00000000.448894082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.419515654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.447649220.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.448108468.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.439620816.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.630595587.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.422995956.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.420229761.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.380197922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.460735897.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.380861261.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.461004523.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.437479878.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.459203730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.440509698.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394239368.000000000C531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.444597183.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.418854563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.472005093.00000000045F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.623546911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.470493584.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.441490337.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.440223202.000000000D2E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.378603204.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.450070713.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.451069768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.383163459.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.471934462.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.462617842.000000000C461000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.455188416.000000000CEF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.448217064.0000000004611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yAbf8Z3qA5.exe PID: 6960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yAbf8Z3qA5.exe PID: 5964, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.yAbf8Z3qA5.exe.5bb4629.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.yAbf8Z3qA5.exe.5ba0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.yAbf8Z3qA5.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.yAbf8Z3qA5.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.yAbf8Z3qA5.exe.2e81674.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.cf8e8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.cf8e8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.yAbf8Z3qA5.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.yAbf8Z3qA5.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.yAbf8Z3qA5.exe.3ebec9e.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.yAbf8Z3qA5.exe.2e864f0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.cf8e8b8.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.cf8e8b8.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.yAbf8Z3qA5.exe.2e81674.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.yAbf8Z3qA5.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.yAbf8Z3qA5.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.yAbf8Z3qA5.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.yAbf8Z3qA5.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.yAbf8Z3qA5.exe.3ebec9e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.yAbf8Z3qA5.exe.3ebec9e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.yAbf8Z3qA5.exe.c6030d8.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.yAbf8Z3qA5.exe.c6030d8.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.yAbf8Z3qA5.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.yAbf8Z3qA5.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.yAbf8Z3qA5.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.yAbf8Z3qA5.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.yAbf8Z3qA5.exe.5900000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.yAbf8Z3qA5.exe.3ec3adb.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.yAbf8Z3qA5.exe.3ec3adb.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000000.448894082.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000000.448894082.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.419515654.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.419515654.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000000.447649220.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000000.447649220.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.448108468.0000000003611000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000000.439620816.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000000.439620816.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.630595587.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.422995956.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.422995956.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.630568364.0000000005BA0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.420229761.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.420229761.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.380197922.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000000.380197922.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.460735897.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.380861261.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000000.380861261.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.461004523.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000000.437479878.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000000.437479878.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.459203730.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.459203730.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000000.440509698.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000000.440509698.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.394239368.000000000C531000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.394239368.000000000C531000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.444597183.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.444597183.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.630404786.0000000005900000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.418854563.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.418854563.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.472005093.00000000045F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.623546911.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.623546911.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.470493584.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.470493584.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000000.441490337.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000000.441490337.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.440223202.000000000D2E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.440223202.000000000D2E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.378603204.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000000.378603204.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000000.450070713.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000000.450070713.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000000.451069768.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000000.451069768.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.383163459.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000000.383163459.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.471934462.00000000035F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.462617842.000000000C461000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.462617842.000000000C461000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.455188416.000000000CEF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.455188416.000000000CEF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.448217064.0000000004611000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: yAbf8Z3qA5.exe PID: 6960, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: yAbf8Z3qA5.exe PID: 6960, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: yAbf8Z3qA5.exe PID: 5964, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: yAbf8Z3qA5.exe PID: 5964, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large strings
Source: yAbf8Z3qA5.exe, Startup.cs Long String: Length: 22528
Source: BYTkrh.exe.0.dr, Startup.cs Long String: Length: 22528
Source: 0.0.yAbf8Z3qA5.exe.20000.0.unpack, Startup.cs Long String: Length: 22528
Source: 0.2.yAbf8Z3qA5.exe.20000.0.unpack, Startup.cs Long String: Length: 22528
Source: 7.2.yAbf8Z3qA5.exe.120000.0.unpack, Startup.cs Long String: Length: 22528
Source: 7.0.yAbf8Z3qA5.exe.120000.3.unpack, Startup.cs Long String: Length: 22528
Source: 7.0.yAbf8Z3qA5.exe.120000.0.unpack, Startup.cs Long String: Length: 22528
Source: 7.0.yAbf8Z3qA5.exe.120000.2.unpack, Startup.cs Long String: Length: 22528
Uses 32bit PE files
Source: yAbf8Z3qA5.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 8.2.yAbf8Z3qA5.exe.5bb4629.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.5bb4629.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.yAbf8Z3qA5.exe.5ba0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.5ba0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.yAbf8Z3qA5.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.yAbf8Z3qA5.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.yAbf8Z3qA5.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.yAbf8Z3qA5.exe.2e81674.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.2e81674.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.cf8e8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.cf8e8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.cf8e8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.yAbf8Z3qA5.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.yAbf8Z3qA5.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.yAbf8Z3qA5.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.yAbf8Z3qA5.exe.3ebec9e.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.3ebec9e.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.yAbf8Z3qA5.exe.2e864f0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.2e864f0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.cf8e8b8.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.cf8e8b8.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.cf8e8b8.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.yAbf8Z3qA5.exe.2e81674.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.2e81674.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.yAbf8Z3qA5.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.yAbf8Z3qA5.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.yAbf8Z3qA5.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.yAbf8Z3qA5.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.yAbf8Z3qA5.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.yAbf8Z3qA5.exe.3ebec9e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.3ebec9e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.yAbf8Z3qA5.exe.3ebec9e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.yAbf8Z3qA5.exe.c6030d8.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.yAbf8Z3qA5.exe.c6030d8.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.yAbf8Z3qA5.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.yAbf8Z3qA5.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.yAbf8Z3qA5.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.yAbf8Z3qA5.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.yAbf8Z3qA5.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.yAbf8Z3qA5.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.yAbf8Z3qA5.exe.5900000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.5900000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.yAbf8Z3qA5.exe.3ec3adb.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.3ec3adb.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.yAbf8Z3qA5.exe.3ec3adb.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001E.00000000.448894082.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000000.448894082.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000000.419515654.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000000.419515654.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000000.447649220.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000000.447649220.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.448108468.0000000003611000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000000.439620816.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000000.439620816.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.630595587.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.630595587.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.422995956.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000000.422995956.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.630568364.0000000005BA0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.630568364.0000000005BA0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.420229761.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000000.420229761.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000000.380197922.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000000.380197922.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.460735897.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000000.380861261.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000000.380861261.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.461004523.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000000.437479878.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000000.437479878.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.459203730.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.459203730.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000000.440509698.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000000.440509698.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.394239368.000000000C531000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.394239368.000000000C531000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.444597183.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.444597183.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.630404786.0000000005900000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.630404786.0000000005900000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000000.418854563.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000000.418854563.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.472005093.00000000045F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.623546911.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.623546911.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.470493584.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000002.470493584.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000000.441490337.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000000.441490337.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.440223202.000000000D2E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.440223202.000000000D2E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000000.378603204.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000000.378603204.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000000.450070713.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000000.450070713.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000000.451069768.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000000.451069768.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000000.383163459.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000000.383163459.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.471934462.00000000035F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.462617842.000000000C461000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.462617842.000000000C461000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.455188416.000000000CEF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.455188416.000000000CEF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.448217064.0000000004611000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: yAbf8Z3qA5.exe PID: 6960, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: yAbf8Z3qA5.exe PID: 6960, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: yAbf8Z3qA5.exe PID: 5964, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: yAbf8Z3qA5.exe PID: 5964, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Detected potential crypto function
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02312E91 0_2_02312E91
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02311DA0 0_2_02311DA0
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02312C19 0_2_02312C19
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02310007 0_2_02310007
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02310070 0_2_02310070
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0231447C 0_2_0231447C
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02312258 0_2_02312258
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02312248 0_2_02312248
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_023106B0 0_2_023106B0
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_023106A1 0_2_023106A1
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_023116A8 0_2_023116A8
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02311698 0_2_02311698
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0231449F 0_2_0231449F
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_023130D0 0_2_023130D0
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_023130C0 0_2_023130C0
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02311507 0_2_02311507
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02311D91 0_2_02311D91
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_04928840 0_2_04928840
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0492B9D8 0_2_0492B9D8
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_049277E8 0_2_049277E8
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_04929700 0_2_04929700
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_04927F30 0_2_04927F30
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_04924B66 0_2_04924B66
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0492A480 0_2_0492A480
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0492B439 0_2_0492B439
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0492C42C 0_2_0492C42C
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0492B85A 0_2_0492B85A
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0492B448 0_2_0492B448
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0492A471 0_2_0492A471
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0492B868 0_2_0492B868
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_04922112 0_2_04922112
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_04921D50 0_2_04921D50
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_049296FB 0_2_049296FB
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0492B618 0_2_0492B618
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0492B608 0_2_0492B608
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_049277CE 0_2_049277CE
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_04929B30 0_2_04929B30
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_050B8D68 8_2_050B8D68
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_050B9968 8_2_050B9968
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_050B3850 8_2_050B3850
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_050B2FA8 8_2_050B2FA8
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_050B23A0 8_2_050B23A0
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_050BB638 8_2_050BB638
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_050B306F 8_2_050B306F
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_050B9A2F 8_2_050B9A2F
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_03271D20 12_2_03271D20
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_03272E11 12_2_03272E11
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_03271D0F 12_2_03271D0F
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_03272B98 12_2_03272B98
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_03274398 12_2_03274398
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032721C8 12_2_032721C8
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032721D8 12_2_032721D8
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_03270006 12_2_03270006
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_03270070 12_2_03270070
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_03273040 12_2_03273040
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_03273050 12_2_03273050
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032706A1 12_2_032706A1
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032716A8 12_2_032716A8
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032706B0 12_2_032706B0
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_03271698 12_2_03271698
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_03271CD0 12_2_03271CD0
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032C7F30 12_2_032C7F30
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032C9700 12_2_032C9700
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032C77E8 12_2_032C77E8
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032CB9D8 12_2_032CB9D8
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032C8840 12_2_032C8840
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032C7740 12_2_032C7740
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032C775E 12_2_032C775E
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032CB608 12_2_032CB608
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032CB618 12_2_032CB618
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032C96E1 12_2_032C96E1
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032C76F7 12_2_032C76F7
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032CC427 12_2_032CC427
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032CB439 12_2_032CB439
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032CB868 12_2_032CB868
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032CA47A 12_2_032CA47A
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032CB448 12_2_032CB448
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032CB85A 12_2_032CB85A
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032CA480 12_2_032CA480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172B9D8 15_2_0172B9D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_01728840 15_2_01728840
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_017240F2 15_2_017240F2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_01724B66 15_2_01724B66
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_01727F30 15_2_01727F30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_01729700 15_2_01729700
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_017277E8 15_2_017277E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172A470 15_2_0172A470
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172B863 15_2_0172B863
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172B868 15_2_0172B868
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172EC6D 15_2_0172EC6D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172B448 15_2_0172B448
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172B439 15_2_0172B439
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172C42C 15_2_0172C42C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172A480 15_2_0172A480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_01727740 15_2_01727740
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172771D 15_2_0172771D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172B618 15_2_0172B618
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172B608 15_2_0172B608
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_017296EC 15_2_017296EC
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F1D20 15_2_018F1D20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F2E11 15_2_018F2E11
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F2B98 15_2_018F2B98
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F21D8 15_2_018F21D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F1D0F 15_2_018F1D0F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F1698 15_2_018F1698
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F16A8 15_2_018F16A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F06A1 15_2_018F06A1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F06B0 15_2_018F06B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F1CD0 15_2_018F1CD0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F0016 15_2_018F0016
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F3040 15_2_018F3040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F3050 15_2_018F3050
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F0070 15_2_018F0070
Contains functionality to call native functions
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_051D178E NtQuerySystemInformation, 8_2_051D178E
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_051D1753 NtQuerySystemInformation, 8_2_051D1753
Sample file is different than original file name gathered from version info
Source: yAbf8Z3qA5.exe, 00000000.00000002.388705528.0000000000162000.00000002.00020000.sdmp Binary or memory string: OriginalFilename77vrr.exe6 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000000.00000002.389586829.00000000027D1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000000.00000002.394239368.000000000C531000.00000004.00000001.sdmp Binary or memory string: OriginalFilename77vrr.exe6 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000000.00000002.393671522.0000000006B00000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000000.00000003.364930637.0000000002CCA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000000.00000002.393278734.00000000067D0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000000.00000002.390927325.00000000037D1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000007.00000000.374768412.0000000000262000.00000002.00020000.sdmp Binary or memory string: OriginalFilename77vrr.exe6 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000008.00000000.378275741.00000000008D2000.00000002.00020000.sdmp Binary or memory string: OriginalFilename77vrr.exe6 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000008.00000002.630595587.0000000005BB0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000008.00000002.630595587.0000000005BB0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000008.00000002.630568364.0000000005BA0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000008.00000002.630404786.0000000005900000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000008.00000002.626822295.0000000002E71000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000008.00000002.626822295.0000000002E71000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 00000008.00000002.630937037.0000000006090000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 0000000C.00000002.439275846.00000000071D0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 0000000C.00000002.431278169.0000000001072000.00000002.00020000.sdmp Binary or memory string: OriginalFilename77vrr.exe6 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 0000000C.00000002.435607203.0000000004741000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 0000000C.00000003.401361631.0000000003C3A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 0000000C.00000002.433704504.0000000003741000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs yAbf8Z3qA5.exe
Source: yAbf8Z3qA5.exe, 0000000C.00000002.439531181.00000000074F0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs yAbf8Z3qA5.exe
PE file contains strange resources
Source: yAbf8Z3qA5.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BYTkrh.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: yAbf8Z3qA5.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: BYTkrh.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yAbf8Z3qA5.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File read: C:\Users\user\Desktop\yAbf8Z3qA5.exe Jump to behavior
Source: yAbf8Z3qA5.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\yAbf8Z3qA5.exe "C:\Users\user\Desktop\yAbf8Z3qA5.exe"
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BYTkrh" /XML "C:\Users\user\AppData\Local\Temp\tmpFF62.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Users\user\Desktop\yAbf8Z3qA5.exe {path}
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Users\user\Desktop\yAbf8Z3qA5.exe {path}
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6807.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp6F7A.tmp
Source: unknown Process created: C:\Users\user\Desktop\yAbf8Z3qA5.exe C:\Users\user\Desktop\yAbf8Z3qA5.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BYTkrh" /XML "C:\Users\user\AppData\Local\Temp\tmp41AB.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Users\user\Desktop\yAbf8Z3qA5.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BYTkrh" /XML "C:\Users\user\AppData\Local\Temp\tmp4BCD.tmp
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BYTkrh" /XML "C:\Users\user\AppData\Local\Temp\tmp6E1A.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BYTkrh" /XML "C:\Users\user\AppData\Local\Temp\tmpFF62.tmp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Users\user\Desktop\yAbf8Z3qA5.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Users\user\Desktop\yAbf8Z3qA5.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6807.tmp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp6F7A.tmp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BYTkrh" /XML "C:\Users\user\AppData\Local\Temp\tmp41AB.tmp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Users\user\Desktop\yAbf8Z3qA5.exe {path} Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BYTkrh" /XML "C:\Users\user\AppData\Local\Temp\tmp4BCD.tmp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path} Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02300F02 AdjustTokenPrivileges, 0_2_02300F02
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02300ECB AdjustTokenPrivileges, 0_2_02300ECB
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_051D154E AdjustTokenPrivileges, 8_2_051D154E
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_051D1517 AdjustTokenPrivileges, 8_2_051D1517
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018E0E52 AdjustTokenPrivileges, 15_2_018E0E52
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018E0E1B AdjustTokenPrivileges, 15_2_018E0E1B
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File created: C:\Users\user\AppData\Roaming\BYTkrh.exe Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File created: C:\Users\user\AppData\Local\Temp\tmpFF62.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@32/10@10/2
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2152:120:WilError_01
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{60215651-75f6-4eb5-9240-aa39bd289f88}
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1256:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2320:120:WilError_01
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: yAbf8Z3qA5.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: yAbf8Z3qA5.exe Static file information: File size 1345024 > 1048576
Source: yAbf8Z3qA5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: yAbf8Z3qA5.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13f000
Source: yAbf8Z3qA5.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: yAbf8Z3qA5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Windows\77vrr.pdb source: yAbf8Z3qA5.exe, 00000008.00000002.626720826.0000000002AE5000.00000004.00000040.sdmp
Source: Binary string: indows\77vrr.pdbpdbvrr.pdb source: yAbf8Z3qA5.exe, 00000008.00000002.626720826.0000000002AE5000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kbdlgKkIwF\src\obj\Debug\77vrr.pdbL source: yAbf8Z3qA5.exe, 00000000.00000002.394239368.000000000C531000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000000.00000000.349004657.0000000000022000.00000002.00020000.sdmp, yAbf8Z3qA5.exe, 00000007.00000000.373054168.0000000000122000.00000002.00020000.sdmp, yAbf8Z3qA5.exe, 00000008.00000000.380229783.0000000000792000.00000002.00020000.sdmp, yAbf8Z3qA5.exe, 0000000C.00000002.430138618.0000000000F32000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: yAbf8Z3qA5.exe, 00000008.00000002.630568364.0000000005BA0000.00000004.00020000.sdmp, yAbf8Z3qA5.exe, 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000008.00000002.626822295.0000000002E71000.00000004.00000001.sdmp
Source: Binary string: C:\Users\user\Desktop\77vrr.pdb source: yAbf8Z3qA5.exe, 00000008.00000002.626720826.0000000002AE5000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kbdlgKkIwF\src\obj\Debug\77vrr.pdb source: yAbf8Z3qA5.exe, yAbf8Z3qA5.exe, 0000000C.00000002.430138618.0000000000F32000.00000002.00020000.sdmp, dhcpmon.exe

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_023142AC push ebp; ret 0_2_023142D3
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_0231428F push ebp; ret 0_2_02314293
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02310FB7 push edi; ret 0_2_02310FB8
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_03270FB7 push edi; ret 12_2_03270FB8
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 12_2_032C5500 push ebx; ret 12_2_032C5501
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0172771D pushad ; retf 15_2_01727845
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_018F0FB7 push edi; ret 15_2_018F0FB8
Source: initial sample Static PE information: section name: .text entropy: 7.7042659795
Source: initial sample Static PE information: section name: .text entropy: 7.7042659795

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File created: C:\Users\user\AppData\Roaming\BYTkrh.exe Jump to dropped file
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BYTkrh" /XML "C:\Users\user\AppData\Local\Temp\tmpFF62.tmp

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe File opened: C:\Users\user\Desktop\yAbf8Z3qA5.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: yAbf8Z3qA5.exe PID: 6960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yAbf8Z3qA5.exe PID: 6476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 4724, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: yAbf8Z3qA5.exe, 00000000.00000002.393928901.0000000006CAE000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 0000000C.00000002.439873858.000000000769E000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.454848113.000000000752E000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: yAbf8Z3qA5.exe, 00000000.00000002.393928901.0000000006CAE000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 0000000C.00000002.439873858.000000000769E000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.454848113.000000000752E000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe TID: 7004 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe TID: 5540 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe TID: 5352 Thread sleep time: -280000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe TID: 4368 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3940 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02311507 rdtsc 0_2_02311507
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Window / User API: foregroundWindowGot 821 Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_051D1276 GetSystemInfo, 8_2_051D1276
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: dhcpmon.exe, 0000000F.00000002.454848113.000000000752E000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: dhcpmon.exe, 0000000F.00000002.454848113.000000000752E000.00000004.00000001.sdmp Binary or memory string: vmware
Source: dhcpmon.exe, 0000000F.00000002.454848113.000000000752E000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 0000000F.00000002.454848113.000000000752E000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 0000000F.00000002.454848113.000000000752E000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: dhcpmon.exe, 0000000F.00000002.454848113.000000000752E000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 0000000F.00000002.454848113.000000000752E000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 0000000F.00000002.454848113.000000000752E000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 0000000F.00000002.454848113.000000000752E000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Anti Debugging
barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 0_2_02311507 rdtsc 0_2_02311507
Enables debug privileges
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Memory written: C:\Users\user\Desktop\yAbf8Z3qA5.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Memory written: C:\Users\user\Desktop\yAbf8Z3qA5.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BYTkrh" /XML "C:\Users\user\AppData\Local\Temp\tmpFF62.tmp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Users\user\Desktop\yAbf8Z3qA5.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Users\user\Desktop\yAbf8Z3qA5.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6807.tmp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp6F7A.tmp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BYTkrh" /XML "C:\Users\user\AppData\Local\Temp\tmp41AB.tmp Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Process created: C:\Users\user\Desktop\yAbf8Z3qA5.exe {path} Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BYTkrh" /XML "C:\Users\user\AppData\Local\Temp\tmp4BCD.tmp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path} Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path} Jump to behavior
Source: yAbf8Z3qA5.exe, 00000008.00000002.627891290.00000000030E9000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000008.00000002.627110734.0000000002F06000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000008.00000002.627960850.0000000003100000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000008.00000002.627751384.0000000003088000.00000004.00000001.sdmp, yAbf8Z3qA5.exe, 00000008.00000002.628021533.0000000003115000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: yAbf8Z3qA5.exe, 00000008.00000002.626426402.0000000001490000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: yAbf8Z3qA5.exe, 00000008.00000002.626426402.0000000001490000.00000002.00020000.sdmp Binary or memory string: Progman
Source: yAbf8Z3qA5.exe, 00000008.00000002.626426402.0000000001490000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: yAbf8Z3qA5.exe, 00000008.00000002.626426402.0000000001490000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.5bb4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.cf8e8b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.cf8e8b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ebec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yAbf8Z3qA5.exe.c6030d8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ec3adb.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001E.00000000.448894082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.419515654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.447649220.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.448108468.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.439620816.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.630595587.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.422995956.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.420229761.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.380197922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.460735897.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.380861261.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.461004523.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.437479878.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.459203730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.440509698.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394239368.000000000C531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.444597183.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.418854563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.472005093.00000000045F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.623546911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.470493584.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.441490337.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.440223202.000000000D2E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.378603204.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.450070713.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.451069768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.383163459.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.471934462.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.462617842.000000000C461000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.455188416.000000000CEF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.448217064.0000000004611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yAbf8Z3qA5.exe PID: 6960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yAbf8Z3qA5.exe PID: 5964, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Nanocore Rat
Source: yAbf8Z3qA5.exe, 00000000.00000002.394239368.000000000C531000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: yAbf8Z3qA5.exe, 00000008.00000002.630595587.0000000005BB0000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: yAbf8Z3qA5.exe, 00000008.00000002.630568364.0000000005BA0000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: yAbf8Z3qA5.exe, 00000008.00000002.630568364.0000000005BA0000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: yAbf8Z3qA5.exe, 00000008.00000000.380197922.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: yAbf8Z3qA5.exe, 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: yAbf8Z3qA5.exe, 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: yAbf8Z3qA5.exe, 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: yAbf8Z3qA5.exe, 00000008.00000002.630404786.0000000005900000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: yAbf8Z3qA5.exe, 00000008.00000002.630404786.0000000005900000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: yAbf8Z3qA5.exe, 00000008.00000002.626822295.0000000002E71000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: yAbf8Z3qA5.exe, 00000008.00000002.626822295.0000000002E71000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: yAbf8Z3qA5.exe, 00000008.00000002.626822295.0000000002E71000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Yara detected Nanocore RAT
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.5bb4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.cf8e8b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.yAbf8Z3qA5.exe.d37e8b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.cf8e8b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ebec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yAbf8Z3qA5.exe.c6030d8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.yAbf8Z3qA5.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ec3adb.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.5bb0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yAbf8Z3qA5.exe.c5ce8b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.yAbf8Z3qA5.exe.3ec9511.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001E.00000000.448894082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.419515654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.447649220.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.448108468.0000000003611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.439620816.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.630595587.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.422995956.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.420229761.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.380197922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.628097807.0000000003EB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.460735897.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.380861261.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.461004523.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.437479878.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.459203730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.440509698.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394239368.000000000C531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.444597183.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.418854563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.472005093.00000000045F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.623546911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.470493584.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.441490337.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.440223202.000000000D2E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.378603204.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.450070713.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.451069768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.383163459.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.471934462.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.462617842.000000000C461000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.455188416.000000000CEF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.448217064.0000000004611000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yAbf8Z3qA5.exe PID: 6960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: yAbf8Z3qA5.exe PID: 5964, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_051D2B6A bind, 8_2_051D2B6A
Source: C:\Users\user\Desktop\yAbf8Z3qA5.exe Code function: 8_2_051D2B3A bind, 8_2_051D2B3A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 557770 Sample: yAbf8Z3qA5.exe Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 52 strongodss.ddns.net 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 11 other signatures 2->60 9 yAbf8Z3qA5.exe 6 2->9         started        13 dhcpmon.exe 5 2->13         started        15 yAbf8Z3qA5.exe 4 2->15         started        signatures3 process4 file5 42 C:\Users\user\AppData\Roaming\BYTkrh.exe, PE32 9->42 dropped 44 C:\Users\user\AppData\Local\...\tmpFF62.tmp, XML 9->44 dropped 46 C:\Users\user\AppData\...\yAbf8Z3qA5.exe.log, ASCII 9->46 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 9->64 66 Injects a PE file into a foreign processes 9->66 17 yAbf8Z3qA5.exe 1 14 9->17         started        22 schtasks.exe 1 9->22         started        24 yAbf8Z3qA5.exe 9->24         started        signatures6 process7 dnsIp8 48 185.19.85.175, 49760, 49765, 49767 DATAWIRE-ASCH Switzerland 17->48 50 strongodss.ddns.net 197.210.64.245, 49755, 49758, 49759 VCG-ASNG Nigeria 17->50 36 C:\Program Files (x86)\...\dhcpmon.exe, PE32 17->36 dropped 38 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 17->38 dropped 40 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 17->40 dropped 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->62 26 schtasks.exe 1 17->26         started        28 schtasks.exe 1 17->28         started        30 conhost.exe 22->30         started        file9 signatures10 process11 process12 32 conhost.exe 26->32         started        34 conhost.exe 28->34         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.19.85.175
 unknown Switzerland
48971 DATAWIRE-ASCH true
197.210.64.245
 strongodss.ddns.net Nigeria
29465 VCG-ASNG false

Contacted Domains

Name IP Active
strongodss.ddns.net 197.210.64.245 true