Windows Analysis Report
INQUIRY.exe

Overview

General Information

Sample Name:	INQUIRY.exe
Analysis ID:	558450
MD5:	dc0acc75361bb39fbd4abec6edc82cd5
SHA1:	9e9c823725bee12d0980009c04692ad9089d9308
SHA256:	d73cbcb2d300d84618d476706765b185c12d20d2e52afe120fb587c81be7cc80
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Yara detected Nanocore RAT

Detected unpacking (creates a PE file in dynamic memory)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b46b5964-4830-4c6b-9df5-a21557a1", "Group": "Default", "Domain1": "onyeoma.ddns.net", "Domain2": "127.0.0.1", "Port": 4141, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara detected Nanocore RAT

Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.3820e14.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.382543d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2311458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.2510000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.3950e14.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.3950e14.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4940000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.638d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.394bfde.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2311458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.24e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22f1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.415058.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39a98c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.2510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.395543d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39adee9.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.6d8d50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2411458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.381bfde.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.24e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.782558.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22f1458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.38d3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.39a98c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.782558.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.38d3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.3820e14.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rstmgknbahw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INQUIRY.exe.2520000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INQUIRY.exe.22e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.4940000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.37a3258.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rstmgknbahw.exe.2300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.415058.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rstmgknbahw.exe.2400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.rstmgknbahw.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rstmgknbahw.exe.638d50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rstmgknbahw.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.719731750.0000000002400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000001.718977051.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.704939952.0000000002300000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734386129.0000000000625000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.663644960.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.718272419.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.702725030.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 6904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INQUIRY.exe PID: 7084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rstmgknbahw.exe PID: 1904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rstmgknbahw.exe PID: 5320, type: MEMORYSTR

Machine Learning detection for sample

Source: INQUIRY.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.0.rstmgknbahw.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.INQUIRY.exe.30e0000.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.INQUIRY.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.INQUIRY.exe.400000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.rstmgknbahw.exe.400000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.INQUIRY.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.rstmgknbahw.exe.400000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.rstmgknbahw.exe.400000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.INQUIRY.exe.400000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.INQUIRY.exe.400000.11.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.rstmgknbahw.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.rstmgknbahw.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.1.rstmgknbahw.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.rstmgknbahw.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.rstmgknbahw.exe.400000.11.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.rstmgknbahw.exe.400000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.rstmgknbahw.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.1.rstmgknbahw.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.INQUIRY.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.INQUIRY.exe.39a98c0.6.unpack	Avira: Label: TR/NanoCore.fadte
Source: 6.0.rstmgknbahw.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.rstmgknbahw.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.rstmgknbahw.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.INQUIRY.exe.2520000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.rstmgknbahw.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.INQUIRY.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.INQUIRY.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.rstmgknbahw.exe.400000.11.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.rstmgknbahw.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\INQUIRY.exe	Unpacked PE file: 2.2.INQUIRY.exe.2520000.4.unpack
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Unpacked PE file: 6.2.rstmgknbahw.exe.4980000.9.unpack

Uses 32bit PE files

Source: INQUIRY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\INQUIRY.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdb] source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbX source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: INQUIRY.exe, 00000001.00000003.662943536.00000000033B0000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659087283.0000000003220000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000003.00000003.702841984.00000000030F0000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000003.00000003.698655774.0000000003280000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000005.00000003.709826822.00000000030E0000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000005.00000003.711484064.0000000003270000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INQUIRY.exe, 00000001.00000003.662943536.00000000033B0000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659087283.0000000003220000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000003.00000003.702841984.00000000030F0000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000003.00000003.698655774.0000000003280000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000005.00000003.709826822.00000000030E0000.00000004.00000001.sdmp, rstmgknbahw.exe, 00000005.00000003.711484064.0000000003270000.00000004.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918001760.0000000000807000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: rlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000002.00000002.918475302.00000000025C7000.00000004.00000040.sdmp

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00405D7C FindFirstFileA,FindClose,	1_2_00405D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_004053AA
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_00404A29 FindFirstFileExW,	4_2_00404A29
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_00404A29 FindFirstFileExW,	4_1_00404A29
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_00405D7C FindFirstFileA,FindClose,	5_2_00405D7C
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	5_2_004053AA
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_00402630 FindFirstFileA,	5_2_00402630
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_00404A29 FindFirstFileExW,	6_2_00404A29
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_00404A29 FindFirstFileExW,	6_1_00404A29

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49735 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49742 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49750 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49757 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49760 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49767 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49774 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49782 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49788 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49789 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49791 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49792 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49810 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49827 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49831 -> 185.140.53.6:4141
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49833 -> 185.140.53.6:4141

Source: Malware configuration extractor	URLs: onyeoma.ddns.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Source: rstmgknbahw.exe, rstmgknbahw.exe, 00000005.00000002.719289522.0000000000409000.00000004.00020000.sdmp, rstmgknbahw.exe, 00000005.00000000.695461777.0000000000409000.00000008.00020000.sdmp, rstmgknbahw.exe, 00000006.00000000.707759536.0000000000409000.00000008.00020000.sdmp, INQUIRY.exe, rstmgknbahw.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: INQUIRY.exe, rstmgknbahw.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		1_2_00403225
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		5_2_00403225

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_0040604C	1_2_0040604C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_00404772	1_2_00404772
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_021A0B88	1_2_021A0B88
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_0040A2A5	4_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_02553850	4_2_02553850
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_025523A0	4_2_025523A0
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_02552FA8	4_2_02552FA8
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_0255306F	4_2_0255306F
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_0040A2A5	4_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_0040604C	5_2_0040604C
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 5_2_00404772	5_2_00404772
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_0040A2A5	6_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_00AB0700	6_2_00AB0700
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_049E2FA8	6_2_049E2FA8
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_049E23A0	6_2_049E23A0
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_049E306F	6_2_049E306F
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_0040A2A5	6_1_0040A2A5

Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: String function: 00401ED0 appears 92 times
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: String function: 004056B5 appears 32 times
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: String function: 0040569E appears 72 times

Source: INQUIRY.exe, 00000001.00000003.654638153.00000000034CF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INQUIRY.exe
Source: INQUIRY.exe, 00000001.00000003.658531644.0000000003336000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INQUIRY.exe
Source: INQUIRY.exe, 00000002.00000002.918484295.0000000002911000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INQUIRY.exe
Source: INQUIRY.exe, 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INQUIRY.exe
Source: INQUIRY.exe, 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs INQUIRY.exe

Source: INQUIRY.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: rstmgknbahw.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.37a3258.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.rstmgknbahw.exe.2411458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.rstmgknbahw.exe.3820e14.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.rstmgknbahw.exe.3820e14.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.rstmgknbahw.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.rstmgknbahw.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.rstmgknbahw.exe.6d8d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.rstmgknbahw.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.1.rstmgknbahw.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.INQUIRY.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.rstmgknbahw.exe.2300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Source: unknown	Process created: C:\Users\user\Desktop\INQUIRY.exe "C:\Users\user\Desktop\INQUIRY.exe"
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe "C:\Users\user\Desktop\INQUIRY.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"
Source: C:\Users\user\Desktop\INQUIRY.exe	Process created: C:\Users\user\Desktop\INQUIRY.exe "C:\Users\user\Desktop\INQUIRY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe "C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe"	Jump to behavior

Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b46b5964-4830-4c6b-9df5-a21557a1e56d}
Source: C:\Users\user\Desktop\INQUIRY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812145 push eax; iretd	2_3_00812183
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812145 push eax; iretd	2_3_00812183
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812145 push eax; iretd	2_3_00812183
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812145 push eax; iretd	2_3_00812183
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812145 push eax; iretd	2_3_00812183
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812145 push eax; iretd	2_3_00812183
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_008166AD push edi; iretd	2_3_00816D7C
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00812001 pushad ; iretd	2_3_00812003
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 2_3_00813A15 pushfd ; iretd	2_3_00813BDB

Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.2.INQUIRY.exe.2520000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.rstmgknbahw.exe.49d0000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.rstmgknbahw.exe.4980000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\INQUIRY.exe	File created: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	File created: C:\Users\user\AppData\Local\Temp\nsz814B.tmp\gerys.dll	Jump to dropped file
Source: C:\Users\user\Desktop\INQUIRY.exe	File created: C:\Users\user\AppData\Local\Temp\nsc48D6.tmp\gerys.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	File created: C:\Users\user\AppData\Local\Temp\nsv9D9D.tmp\gerys.dll	Jump to dropped file

Source: C:\Users\user\Desktop\INQUIRY.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run earyw			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run earyw			Jump to behavior

Windows Analysis Report INQUIRY.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
INQUIRY.exe

Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4728	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe TID: 6512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe TID: 5156	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe TID: 5992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe TID: 2440	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe TID: 3136	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe TID: 6656	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	Window / User API: threadDelayed 384			Jump to behavior
Source: C:\Users\user\Desktop\INQUIRY.exe	Window / User API: foregroundWindowGot 965			Jump to behavior

Source: C:\Users\user\Desktop\INQUIRY.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\INQUIRY.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_021A0402 mov eax, dword ptr fs:[00000030h]	1_2_021A0402
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_021A0616 mov eax, dword ptr fs:[00000030h]	1_2_021A0616
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_021A0706 mov eax, dword ptr fs:[00000030h]	1_2_021A0706
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_021A0744 mov eax, dword ptr fs:[00000030h]	1_2_021A0744
Source: C:\Users\user\Desktop\INQUIRY.exe	Code function: 1_2_021A06C7 mov eax, dword ptr fs:[00000030h]	1_2_021A06C7
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_004035F1 mov eax, dword ptr fs:[00000030h]	4_2_004035F1
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_004035F1 mov eax, dword ptr fs:[00000030h]	4_1_004035F1
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_004035F1 mov eax, dword ptr fs:[00000030h]	6_2_004035F1
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_004035F1 mov eax, dword ptr fs:[00000030h]	6_1_004035F1

Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_00401E1D SetUnhandledExceptionFilter,	4_2_00401E1D
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0040446F
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00401C88
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00401F30
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_00401E1D SetUnhandledExceptionFilter,	4_1_00401E1D
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_1_0040446F
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_1_00401C88
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 4_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_1_00401F30
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_00401E1D SetUnhandledExceptionFilter,	6_2_00401E1D
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0040446F
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00401C88
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00401F30
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_00401E1D SetUnhandledExceptionFilter,	6_1_00401E1D
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_1_0040446F
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_1_00401C88
Source: C:\Users\user\AppData\Roaming\sspgadrjncoy\rstmgknbahw.exe	Code function: 6_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_1_00401F30

Source: INQUIRY.exe, 00000002.00000002.917971257.00000000007D9000.00000004.00000020.sdmp	Binary or memory string: X"~Program Manager$
Source: INQUIRY.exe, 00000002.00000002.918728460.0000000002B90000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.917971257.00000000007D9000.00000004.00000020.sdmp, INQUIRY.exe, 00000002.00000002.918737998.0000000002B9A000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.918267849.0000000000E50000.00000002.00020000.sdmp, INQUIRY.exe, 00000002.00000002.918753295.0000000002BB6000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.918570208.00000000029AC000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.918544054.000000000299F000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.918712708.0000000002B8A000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.918560831.00000000029A7000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: INQUIRY.exe, 00000002.00000002.918267849.0000000000E50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: INQUIRY.exe, 00000002.00000002.918267849.0000000000E50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: INQUIRY.exe, 00000002.00000002.918267849.0000000000E50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: INQUIRY.exe, 00000002.00000003.825484373.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.733579764.000000000080D000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.759637821.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.683832715.0000000000816000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.670540587.0000000000816000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.825616062.0000000000815000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.865016296.0000000000813000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.705623191.000000000080B000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.812351194.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.838969103.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.838991506.0000000000814000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.856693810.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.697406169.0000000000816000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.825517657.0000000000814000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.718632163.000000000080D000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.747066430.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.710595291.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.692336980.0000000000814000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.799544616.0000000000812000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000003.692368806.0000000000815000.00000004.00000001.sdmp	Binary or memory string: Program Managert$
Source: INQUIRY.exe, 00000002.00000002.918518466.0000000002965000.00000004.00000001.sdmp	Binary or memory string: Program Managerr
Source: INQUIRY.exe, 00000002.00000002.918728460.0000000002B90000.00000004.00000001.sdmp, INQUIRY.exe, 00000002.00000002.918570208.00000000029AC000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: INQUIRY.exe, 00000002.00000002.918728460.0000000002B90000.00000004.00000001.sdmp	Binary or memory string: Program ManagerPG

Source: INQUIRY.exe, 00000001.00000002.665449354.00000000022E0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000000.662575253.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000002.918404744.0000000002522000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000002.917467270.0000000000774000.00000004.00000020.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000002.918484295.0000000002911000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000002.918484295.0000000002911000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: INQUIRY.exe, 00000002.00000002.916471993.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000002.918375056.00000000024E0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INQUIRY.exe, 00000002.00000002.918797240.00000000039A2000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000001.703365040.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.723024476.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.725072072.0000000002510000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.725158787.00000000038D1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.725196610.000000000390A000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: rstmgknbahw.exe, 00000004.00000002.725133013.00000000028DE000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.725133013.00000000028DE000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: rstmgknbahw.exe, 00000004.00000000.701936247.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.724570206.00000000006C5000.00000004.00000020.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000004.00000002.725281266.00000000049D2000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000002.735100285.0000000004940000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000000.716081773.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000002.734941801.00000000027AE000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000002.734941801.00000000027AE000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: rstmgknbahw.exe, 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000002.735022366.00000000037DA000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: rstmgknbahw.exe, 00000006.00000002.734234340.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000002.735138898.0000000004982000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: rstmgknbahw.exe, 00000006.00000002.734985665.00000000037A1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Name	Malicious	Antivirus Detection	Reputation
onyeoma.ddns.net	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
127.0.0.1	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown