Edit tour

Windows Analysis Report
g9WPdiOMmP.exe

Overview

General Information

Sample Name:	g9WPdiOMmP.exe
Analysis ID:	623535
MD5:	917e0e9eafc6cda73bff5d17ce4086cc
SHA1:	4e89ea04a18e77490366413e1fd00249b4ecced5
SHA256:	9e786734789a58b02fa6d10321f91833970cc44d86db086a4b456aa1f7d7f18b
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

g9WPdiOMmP.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\g9WPdiOMmP.exe" MD5: 917E0E9EAFC6CDA73BFF5D17CE4086CC)

powershell.exe (PID: 6400 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g9WPdiOMmP.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 2176 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PCgOBjKh.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6044 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PCgOBjKh" /XML "C:\Users\user\AppData\Local\Temp\tmp502A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6720 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

RegSvcs.exe (PID: 4472 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

schtasks.exe (PID: 6936 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE651.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6812 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpEF7A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6892 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6252 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6268 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "90fb62d1-4695-45ee-832f-da5694a0", "Group": "Default", "Domain1": "184.75.223.235", "Domain2": "", "Port": 3811, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.705979579.00000000054D0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
0000000F.00000002.705979579.00000000054D0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
0000000F.00000002.705979579.00000000054D0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000F.00000002.705922722.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000F.00000002.705922722.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000F.00000002.705922722.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x485dd:$a: NanoCore 0x48636:$a: NanoCore 0x48673:$a: NanoCore 0x486ec:$a: NanoCore 0x4dc81:$a: NanoCore 0x4dccb:$a: NanoCore 0x4deb5:$a: NanoCore 0x617d4:$a: NanoCore 0x617e9:$a: NanoCore 0x6181e:$a: NanoCore 0x7a7ab:$a: NanoCore 0x7a7c0:$a: NanoCore 0x7a7f5:$a: NanoCore 0x4863f:$b: ClientPlugin 0x4867c:$b: ClientPlugin 0x48f7a:$b: ClientPlugin 0x48f87:$b: ClientPlugin 0x4da1a:$b: ClientPlugin 0x4dc8a:$b: ClientPlugin 0x4dcd4:$b: ClientPlugin 0x61590:$b: ClientPlugin
00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x46c95:$x1: NanoCore.ClientPluginHost 0x7b4b5:$x1: NanoCore.ClientPluginHost 0xafad5:$x1: NanoCore.ClientPluginHost 0x46cd2:$x2: IClientNetworkHost 0x7b4f2:$x2: IClientNetworkHost 0xafb12:$x2: IClientNetworkHost 0x4a805:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7f025:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb3645:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x469fd:$a: NanoCore 0x46a0d:$a: NanoCore 0x46c41:$a: NanoCore 0x46c55:$a: NanoCore 0x46c95:$a: NanoCore 0x7b21d:$a: NanoCore 0x7b22d:$a: NanoCore 0x7b461:$a: NanoCore 0x7b475:$a: NanoCore 0x7b4b5:$a: NanoCore 0xaf83d:$a: NanoCore 0xaf84d:$a: NanoCore 0xafa81:$a: NanoCore 0xafa95:$a: NanoCore 0xafad5:$a: NanoCore 0x46a5c:$b: ClientPlugin 0x46c5e:$b: ClientPlugin 0x46c9e:$b: ClientPlugin 0x7b27c:$b: ClientPlugin 0x7b47e:$b: ClientPlugin 0x7b4be:$b: ClientPlugin
0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000000.00000002.503987328.00000000029DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.502039179.0000000002821000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000F.00000002.701504359.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: g9WPdiOMmP.exe PID: 7056	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x7570:$x1: NanoCore.ClientPluginHost 0x75ad:$x2: IClientNetworkHost 0xb095:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x16113:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2224d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2d591:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: g9WPdiOMmP.exe PID: 7056	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: g9WPdiOMmP.exe PID: 7056	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: g9WPdiOMmP.exe PID: 7056	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x723d:$a: NanoCore 0x724d:$a: NanoCore 0x730c:$a: NanoCore 0x731b:$a: NanoCore 0x751c:$a: NanoCore 0x7530:$a: NanoCore 0x7570:$a: NanoCore 0x1277d:$a: NanoCore 0x1278f:$a: NanoCore 0x127cb:$a: NanoCore 0x1e8b7:$a: NanoCore 0x1e8c9:$a: NanoCore 0x1e905:$a: NanoCore 0x29bfb:$a: NanoCore 0x29c0d:$a: NanoCore 0x29c49:$a: NanoCore 0x729c:$b: ClientPlugin 0x7365:$b: ClientPlugin 0x7539:$b: ClientPlugin 0x7579:$b: ClientPlugin 0x12798:$b: ClientPlugin
Process Memory Space: RegSvcs.exe PID: 4472	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x20b67:$x1: NanoCore.ClientPluginHost 0x38b6f:$x1: NanoCore.ClientPluginHost 0x54ff0:$x1: NanoCore.ClientPluginHost 0x892db:$x1: NanoCore.ClientPluginHost 0x20b81:$x2: IClientNetworkHost 0x38bac:$x2: IClientNetworkHost 0x5501d:$x2: IClientNetworkHost 0x892f5:$x2: IClientNetworkHost 0x3c69d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47723:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 4472	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 4472	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x20ad1:$a: NanoCore 0x20b2a:$a: NanoCore 0x20b67:$a: NanoCore 0x20be0:$a: NanoCore 0x21499:$a: NanoCore 0x214ec:$a: NanoCore 0x21525:$a: NanoCore 0x21598:$a: NanoCore 0x22350:$a: NanoCore 0x227cc:$a: NanoCore 0x22812:$a: NanoCore 0x229d9:$a: NanoCore 0x29b5d:$a: NanoCore 0x29b70:$a: NanoCore 0x29ba2:$a: NanoCore 0x2f7ed:$a: NanoCore 0x2f800:$a: NanoCore 0x2f832:$a: NanoCore 0x3883c:$a: NanoCore 0x3884c:$a: NanoCore 0x3890b:$a: NanoCore
Click to see the 35 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.RegSvcs.exe.54d0000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
15.2.RegSvcs.exe.54d0000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
15.2.RegSvcs.exe.54d0000.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
15.0.RegSvcs.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.0.RegSvcs.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.0.RegSvcs.exe.400000.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
15.0.RegSvcs.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.RegSvcs.exe.3bf07fe.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x6483:$x1: NanoCore.ClientPluginHost 0x1a020:$x1: NanoCore.ClientPluginHost 0x32ff7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x1a04d:$x2: IClientNetworkHost 0x33024:$x2: IClientNetworkHost
15.2.RegSvcs.exe.3bf07fe.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x6483:$x2: NanoCore.ClientPluginHost 0x1a020:$x2: NanoCore.ClientPluginHost 0x32ff7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x6561:$s4: PipeCreated 0x1b0fb:$s4: PipeCreated 0x340d2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x649d:$s5: IClientLoggingHost 0x1a03a:$s5: IClientLoggingHost 0x33011:$s5: IClientLoggingHost
15.2.RegSvcs.exe.3bf07fe.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.RegSvcs.exe.3bf07fe.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x64cd:$x2: NanoCore.ClientPlugin 0x19feb:$x2: NanoCore.ClientPlugin 0x32fc2:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x6483:$x3: NanoCore.ClientPluginHost 0x1a020:$x3: NanoCore.ClientPluginHost 0x32ff7:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x19fdf:$i2: IClientData 0x32fb6:$i2: IClientData 0xe29:$i3: IClientNetwork 0x64e3:$i3: IClientNetwork 0x1a001:$i3: IClientNetwork 0x32fd8:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x1a010:$i5: IClientDataHost 0x32fe7:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost
15.2.RegSvcs.exe.3bf07fe.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x6483:$a: NanoCore 0x64cd:$a: NanoCore 0x66b7:$a: NanoCore 0x19fd6:$a: NanoCore 0x19feb:$a: NanoCore 0x1a020:$a: NanoCore 0x32fad:$a: NanoCore 0x32fc2:$a: NanoCore 0x32ff7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x621c:$b: ClientPlugin 0x648c:$b: ClientPlugin 0x64d6:$b: ClientPlugin 0x19d92:$b: ClientPlugin
15.2.RegSvcs.exe.3bf07fe.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4083:$x1: NanoCore.ClientPluginHost
15.2.RegSvcs.exe.3bf07fe.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4083:$x2: NanoCore.ClientPluginHost 0x4161:$s4: PipeCreated 0x409d:$s5: IClientLoggingHost
15.2.RegSvcs.exe.3bf07fe.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x40cd:$x2: NanoCore.ClientPlugin 0x4083:$x3: NanoCore.ClientPluginHost 0x40e3:$i3: IClientNetwork 0x409d:$i6: IClientLoggingHost 0x3e1c:$s1: ClientPlugin 0x40d6:$s1: ClientPlugin
15.2.RegSvcs.exe.3bfb071.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
15.2.RegSvcs.exe.3bfb071.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
15.2.RegSvcs.exe.3bfb071.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.RegSvcs.exe.3bfb071.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
15.2.RegSvcs.exe.6110000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
15.2.RegSvcs.exe.6110000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
15.2.RegSvcs.exe.6110000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.RegSvcs.exe.6110000.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
0.2.g9WPdiOMmP.exe.39acb08.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.g9WPdiOMmP.exe.39acb08.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.g9WPdiOMmP.exe.39acb08.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.g9WPdiOMmP.exe.39acb08.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.g9WPdiOMmP.exe.39acb08.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.g9WPdiOMmP.exe.39e1328.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.g9WPdiOMmP.exe.39e1328.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.g9WPdiOMmP.exe.39e1328.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.g9WPdiOMmP.exe.39e1328.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.g9WPdiOMmP.exe.39e1328.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
15.0.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.0.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.0.RegSvcs.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
15.0.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.0.RegSvcs.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.0.RegSvcs.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.0.RegSvcs.exe.400000.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
15.0.RegSvcs.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
15.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.0.RegSvcs.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.0.RegSvcs.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.0.RegSvcs.exe.400000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
15.0.RegSvcs.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.RegSvcs.exe.6114629.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
15.2.RegSvcs.exe.6114629.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
15.2.RegSvcs.exe.6114629.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.RegSvcs.exe.6114629.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
15.0.RegSvcs.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.0.RegSvcs.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.0.RegSvcs.exe.400000.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
15.0.RegSvcs.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.RegSvcs.exe.3bfb071.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28784:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287b1:$x2: IClientNetworkHost
15.2.RegSvcs.exe.3bfb071.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28784:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2985f:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2879e:$s5: IClientLoggingHost
15.2.RegSvcs.exe.3bfb071.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.RegSvcs.exe.3bfb071.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x2874f:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28784:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28743:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x28765:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28774:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x2879e:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287b1:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287c4:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287d2:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x287ee:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
15.2.RegSvcs.exe.6110000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
15.2.RegSvcs.exe.6110000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
15.2.RegSvcs.exe.6110000.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.RegSvcs.exe.6110000.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
15.2.RegSvcs.exe.2bcd1f8.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x40a6:$x1: NanoCore.ClientPluginHost
15.2.RegSvcs.exe.2bcd1f8.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x40a6:$x2: NanoCore.ClientPluginHost 0x4184:$s4: PipeCreated 0x40c0:$s5: IClientLoggingHost
15.2.RegSvcs.exe.2bcd1f8.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x40f0:$x2: NanoCore.ClientPlugin 0x40a6:$x3: NanoCore.ClientPluginHost 0x4106:$i3: IClientNetwork 0x40c0:$i6: IClientLoggingHost 0x3e3f:$s1: ClientPlugin 0x40f9:$s1: ClientPlugin
15.2.RegSvcs.exe.52f0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
15.2.RegSvcs.exe.52f0000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
15.2.RegSvcs.exe.52f0000.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x447ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x447ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4831d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xc3a0f:$s1: file:/// 0xc391f:$s2: {11111-22222-10009-11112} 0xc399f:$s3: {11111-22222-50001-00000} 0xc1491:$s4: get_Module 0xc1900:$s5: Reverse 0x1af6f:$s6: BlockCopy 0x4f58f:$s6: BlockCopy 0xc34f2:$s6: BlockCopy 0x1af66:$s7: ReadByte 0x4f586:$s7: ReadByte 0xc3a21:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x44515:$x1: NanoCore Client 0x44525:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4476d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x447ad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x44762:$i1: IClientApp 0x10163:$i2: IClientData 0x44783:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4478f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x4479e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x447c7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x447d7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x44515:$a: NanoCore 0x44525:$a: NanoCore 0x44759:$a: NanoCore 0x4476d:$a: NanoCore 0x447ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x44574:$b: ClientPlugin 0x44776:$b: ClientPlugin 0x447b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4469b:$c: ProjectData 0xc3425:$c: ProjectData 0x10a82:$d: DESCrypto 0x450a2:$d: DESCrypto
15.2.RegSvcs.exe.2bd2058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
15.2.RegSvcs.exe.2bd2058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
15.2.RegSvcs.exe.2bd2058.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
15.2.RegSvcs.exe.3bf563b.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost 0x151e3:$x1: NanoCore.ClientPluginHost 0x2e1ba:$x1: NanoCore.ClientPluginHost 0x15210:$x2: IClientNetworkHost 0x2e1e7:$x2: IClientNetworkHost
15.2.RegSvcs.exe.3bf563b.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x151e3:$x2: NanoCore.ClientPluginHost 0x2e1ba:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x162be:$s4: PipeCreated 0x2f295:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost 0x151fd:$s5: IClientLoggingHost 0x2e1d4:$s5: IClientLoggingHost
15.2.RegSvcs.exe.3bf563b.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.RegSvcs.exe.3bf563b.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x151ae:$x2: NanoCore.ClientPlugin 0x2e185:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x151e3:$x3: NanoCore.ClientPluginHost 0x2e1ba:$x3: NanoCore.ClientPluginHost 0x151a2:$i2: IClientData 0x2e179:$i2: IClientData 0x16a6:$i3: IClientNetwork 0x151c4:$i3: IClientNetwork 0x2e19b:$i3: IClientNetwork 0x151d3:$i5: IClientDataHost 0x2e1aa:$i5: IClientDataHost 0x1660:$i6: IClientLoggingHost 0x151fd:$i6: IClientLoggingHost 0x2e1d4:$i6: IClientLoggingHost 0x15210:$i7: IClientNetworkHost 0x2e1e7:$i7: IClientNetworkHost 0x15223:$i8: IClientUIHost 0x2e1fa:$i8: IClientUIHost 0x15231:$i9: IClientNameObjectCollection
15.2.RegSvcs.exe.3bf563b.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1646:$a: NanoCore 0x1690:$a: NanoCore 0x187a:$a: NanoCore 0x15199:$a: NanoCore 0x151ae:$a: NanoCore 0x151e3:$a: NanoCore 0x2e170:$a: NanoCore 0x2e185:$a: NanoCore 0x2e1ba:$a: NanoCore 0x13df:$b: ClientPlugin 0x164f:$b: ClientPlugin 0x1699:$b: ClientPlugin 0x14f55:$b: ClientPlugin 0x14f70:$b: ClientPlugin 0x14fa0:$b: ClientPlugin 0x151b7:$b: ClientPlugin 0x151ec:$b: ClientPlugin 0x2df2c:$b: ClientPlugin 0x2df47:$b: ClientPlugin 0x2df77:$b: ClientPlugin 0x2e18e:$b: ClientPlugin
0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x467ad:$x1: NanoCore.ClientPluginHost 0x7afcd:$x1: NanoCore.ClientPluginHost 0xaf5ed:$x1: NanoCore.ClientPluginHost 0x467ea:$x2: IClientNetworkHost 0x7b00a:$x2: IClientNetworkHost 0xaf62a:$x2: IClientNetworkHost 0x4a31d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7eb3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb315d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x12e84f:$s1: file:/// 0x12e75f:$s2: {11111-22222-10009-11112} 0x12e7df:$s3: {11111-22222-50001-00000} 0x12c2d1:$s4: get_Module 0x12c740:$s5: Reverse 0x5158f:$s6: BlockCopy 0x85daf:$s6: BlockCopy 0xba3cf:$s6: BlockCopy 0x12e332:$s6: BlockCopy 0x51586:$s7: ReadByte 0x85da6:$s7: ReadByte 0xba3c6:$s7: ReadByte 0x12e861:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x46515:$x1: NanoCore Client 0x46525:$x1: NanoCore Client 0x7ad35:$x1: NanoCore Client 0x7ad45:$x1: NanoCore Client 0xaf355:$x1: NanoCore Client 0xaf365:$x1: NanoCore Client 0x4676d:$x2: NanoCore.ClientPlugin 0x7af8d:$x2: NanoCore.ClientPlugin 0xaf5ad:$x2: NanoCore.ClientPlugin 0x467ad:$x3: NanoCore.ClientPluginHost 0x7afcd:$x3: NanoCore.ClientPluginHost 0xaf5ed:$x3: NanoCore.ClientPluginHost 0x46762:$i1: IClientApp 0x7af82:$i1: IClientApp 0xaf5a2:$i1: IClientApp 0x46783:$i2: IClientData 0x7afa3:$i2: IClientData 0xaf5c3:$i2: IClientData 0x4678f:$i3: IClientNetwork 0x7afaf:$i3: IClientNetwork 0xaf5cf:$i3: IClientNetwork
0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x46515:$a: NanoCore 0x46525:$a: NanoCore 0x46759:$a: NanoCore 0x4676d:$a: NanoCore 0x467ad:$a: NanoCore 0x7ad35:$a: NanoCore 0x7ad45:$a: NanoCore 0x7af79:$a: NanoCore 0x7af8d:$a: NanoCore 0x7afcd:$a: NanoCore 0xaf355:$a: NanoCore 0xaf365:$a: NanoCore 0xaf599:$a: NanoCore 0xaf5ad:$a: NanoCore 0xaf5ed:$a: NanoCore 0x46574:$b: ClientPlugin 0x46776:$b: ClientPlugin 0x467b6:$b: ClientPlugin 0x7ad94:$b: ClientPlugin 0x7af96:$b: ClientPlugin 0x7afd6:$b: ClientPlugin
15.2.RegSvcs.exe.2bcd1f8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x64a6:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
15.2.RegSvcs.exe.2bcd1f8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x64a6:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x6584:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x64c0:$s5: IClientLoggingHost
15.2.RegSvcs.exe.2bcd1f8.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x64f0:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x64a6:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x6506:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x64c0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x623f:$s1: ClientPlugin 0x64f9:$s1: ClientPlugin
0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x449ad:$x1: NanoCore.ClientPluginHost 0x78fcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x449ea:$x2: IClientNetworkHost 0x7900a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4851d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7cb3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xf822f:$s1: file:/// 0xf813f:$s2: {11111-22222-10009-11112} 0xf81bf:$s3: {11111-22222-50001-00000} 0xf5cb1:$s4: get_Module 0xf6120:$s5: Reverse 0x1af6f:$s6: BlockCopy 0x4f78f:$s6: BlockCopy 0x83daf:$s6: BlockCopy 0xf7d12:$s6: BlockCopy 0x1af66:$s7: ReadByte 0x4f786:$s7: ReadByte 0x83da6:$s7: ReadByte 0xf8241:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x44715:$x1: NanoCore Client 0x44725:$x1: NanoCore Client 0x78d35:$x1: NanoCore Client 0x78d45:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4496d:$x2: NanoCore.ClientPlugin 0x78f8d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x449ad:$x3: NanoCore.ClientPluginHost 0x78fcd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x44962:$i1: IClientApp 0x78f82:$i1: IClientApp 0x10163:$i2: IClientData 0x44983:$i2: IClientData 0x78fa3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4498f:$i3: IClientNetwork 0x78faf:$i3: IClientNetwork
0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x44715:$a: NanoCore 0x44725:$a: NanoCore 0x44959:$a: NanoCore 0x4496d:$a: NanoCore 0x449ad:$a: NanoCore 0x78d35:$a: NanoCore 0x78d45:$a: NanoCore 0x78f79:$a: NanoCore 0x78f8d:$a: NanoCore 0x78fcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x44774:$b: ClientPlugin 0x44976:$b: ClientPlugin 0x449b6:$b: ClientPlugin
Click to see the 98 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4472, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354980938112025019 05/10/22-16:29:27.325942
SID:	2025019
Source Port:	49809
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354981238112025019 05/10/22-16:29:39.486310
SID:	2025019
Source Port:	49812
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354980538112025019 05/10/22-16:29:13.562263
SID:	2025019
Source Port:	49805
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354978138112025019 05/10/22-16:28:27.857476
SID:	2025019
Source Port:	49781
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354978938112816766 05/10/22-16:28:38.861696
SID:	2816766
Source Port:	49789
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354979938112816766 05/10/22-16:28:53.595561
SID:	2816766
Source Port:	49799
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354980638112816766 05/10/22-16:29:21.726244
SID:	2816766
Source Port:	49806
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354980138112816718 05/10/22-16:28:59.924134
SID:	2816718
Source Port:	49801
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354980338112025019 05/10/22-16:29:06.297654
SID:	2025019
Source Port:	49803
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354979938112025019 05/10/22-16:28:51.974527
SID:	2025019
Source Port:	49799
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354981338112025019 05/10/22-16:29:55.677533
SID:	2025019
Source Port:	49813
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354978938112025019 05/10/22-16:28:37.152636
SID:	2025019
Source Port:	49789
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354980338112816766 05/10/22-16:29:08.157409
SID:	2816766
Source Port:	49803
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354980538112816766 05/10/22-16:29:14.913941
SID:	2816766
Source Port:	49805
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 184.75.223.235 - Destination IP: 192.168.2.5

Timestamp:	184.75.223.235192.168.2.53811498092841753 05/10/22-16:29:27.684225
SID:	2841753
Source Port:	3811
Destination Port:	49809
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354978138112816766 05/10/22-16:28:32.594863
SID:	2816766
Source Port:	49781
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354981238112816766 05/10/22-16:29:41.277572
SID:	2816766
Source Port:	49812
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354979238112025019 05/10/22-16:28:44.198677
SID:	2025019
Source Port:	49792
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354980138112025019 05/10/22-16:28:59.097237
SID:	2025019
Source Port:	49801
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354980638112025019 05/10/22-16:29:19.892387
SID:	2025019
Source Port:	49806
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 184.75.223.235 - Destination IP: 192.168.2.5

Timestamp:	184.75.223.235192.168.2.53811498132841753 05/10/22-16:29:56.405286
SID:	2841753
Source Port:	3811
Destination Port:	49813
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354981138112816766 05/10/22-16:29:34.142910
SID:	2816766
Source Port:	49811
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354981138112025019 05/10/22-16:29:32.402001
SID:	2025019
Source Port:	49811
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354979238112816766 05/10/22-16:28:45.973981
SID:	2816766
Source Port:	49792
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 184.75.223.235

Timestamp:	192.168.2.5184.75.223.2354980138112816766 05/10/22-16:29:01.025187
SID:	2816766
Source Port:	49801
Destination Port:	3811
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "90fb62d1-4695-45ee-832f-da5694a0", "Group": "Default", "Domain1": "184.75.223.235", "Domain2": "", "Port": 3811, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Source: g9WPdiOMmP.exe	Virustotal: Detection: 56%	Perma Link
Source: g9WPdiOMmP.exe	Metadefender: Detection: 22%	Perma Link
Source: g9WPdiOMmP.exe	ReversingLabs: Detection: 43%

Antivirus detection for URL or domain

Source: 184.75.223.235

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: 184.75.223.235

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\PCgOBjKh.exe	Metadefender: Detection: 22%			Perma Link
Source: C:\Users\user\AppData\Roaming\PCgOBjKh.exe	ReversingLabs: Detection: 43%

Yara detected Nanocore RAT

Source: Yara match	File source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bf07fe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bfb071.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.6110000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39acb08.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39e1328.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.6114629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bfb071.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.6110000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bf563b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.701504359.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g9WPdiOMmP.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4472, type: MEMORYSTR

Machine Learning detection for sample

Source: g9WPdiOMmP.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\PCgOBjKh.exe

Joe Sandbox ML: detected

Source: 15.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.2.RegSvcs.exe.6110000.8.unpack	Avira: Label: TR/NanoCore.fadte
Source: 15.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: g9WPdiOMmP.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: g9WPdiOMmP.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: dhcpmon.exe, 00000017.00000000.522377579.0000000000642000.00000002.00000001.01000000.0000000B.sdmp, dhcpmon.exe, 00000019.00000002.536255616.0000000000792000.00000002.00000001.01000000.0000000B.sdmp, dhcpmon.exe.15.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.701504359.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe, 00000019.00000002.536255616.0000000000792000.00000002.00000001.01000000.0000000B.sdmp, dhcpmon.exe.15.dr

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49781 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49781 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49789 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49789 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49792 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49792 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49799 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49799 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49801 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49801 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.5:49801 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49803 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49803 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49805 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49805 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49806 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49806 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49809 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 184.75.223.235:3811 -> 192.168.2.5:49809
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49811 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49811 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49812 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49812 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49813 -> 184.75.223.235:3811
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 184.75.223.235:3811 -> 192.168.2.5:49813

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 184.75.223.235

Source: Joe Sandbox View

ASN Name: AMANAHA-NEWCA AMANAHA-NEWCA

Source: global traffic

TCP traffic: 192.168.2.5:49781 -> 184.75.223.235:3811

Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235
Source: unknown	TCP traffic detected without corresponding DNS query: 184.75.223.235

Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: g9WPdiOMmP.exe, 00000000.00000002.503987328.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, g9WPdiOMmP.exe, 00000000.00000002.502039179.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: g9WPdiOMmP.exe, 00000000.00000002.500932580.0000000000C80000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: RegSvcs.exe, 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bf07fe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bfb071.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.6110000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39acb08.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39e1328.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.6114629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bfb071.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.6110000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bf563b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.701504359.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g9WPdiOMmP.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4472, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.RegSvcs.exe.54d0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.54d0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.RegSvcs.exe.3bf07fe.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.3bf07fe.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.RegSvcs.exe.3bf07fe.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.RegSvcs.exe.3bf07fe.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.3bf07fe.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.RegSvcs.exe.3bfb071.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.3bfb071.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.RegSvcs.exe.6110000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.6110000.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.RegSvcs.exe.6114629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.6114629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.RegSvcs.exe.3bfb071.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.3bfb071.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.RegSvcs.exe.6110000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.6110000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.RegSvcs.exe.2bcd1f8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.2bcd1f8.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.RegSvcs.exe.2bd2058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.2bd2058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.RegSvcs.exe.3bf563b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.3bf563b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.RegSvcs.exe.3bf563b.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.RegSvcs.exe.2bcd1f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegSvcs.exe.2bcd1f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.705979579.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.705979579.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.705922722.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.705922722.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: g9WPdiOMmP.exe PID: 7056, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: g9WPdiOMmP.exe PID: 7056, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 4472, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 4472, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: g9WPdiOMmP.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 15.2.RegSvcs.exe.54d0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.54d0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.54d0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.RegSvcs.exe.3bf07fe.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.3bf07fe.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.3bf07fe.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.RegSvcs.exe.3bf07fe.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.RegSvcs.exe.3bf07fe.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.3bf07fe.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.3bf07fe.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.RegSvcs.exe.3bfb071.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.3bfb071.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.3bfb071.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.RegSvcs.exe.6110000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.6110000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.6110000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.RegSvcs.exe.6114629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.6114629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.6114629.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.RegSvcs.exe.3bfb071.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.3bfb071.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.3bfb071.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.RegSvcs.exe.6110000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.6110000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.6110000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.RegSvcs.exe.2bcd1f8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.2bcd1f8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.2bcd1f8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.52f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.RegSvcs.exe.2bd2058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.2bd2058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.2bd2058.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.RegSvcs.exe.3bf563b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.3bf563b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.3bf563b.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.RegSvcs.exe.3bf563b.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.RegSvcs.exe.2bcd1f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegSvcs.exe.2bcd1f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.RegSvcs.exe.2bcd1f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.705979579.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.705979579.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.705979579.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.705922722.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.705922722.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.705922722.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: g9WPdiOMmP.exe PID: 7056, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: g9WPdiOMmP.exe PID: 7056, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 4472, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 4472, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027BC334	0_2_027BC334
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027BE790	0_2_027BE790
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027BE78B	0_2_027BE78B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00E6E480	15_2_00E6E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00E6E471	15_2_00E6E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00E6BBD4	15_2_00E6BBD4

Source: g9WPdiOMmP.exe	Binary or memory string: OriginalFilename vs g9WPdiOMmP.exe
Source: g9WPdiOMmP.exe, 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs g9WPdiOMmP.exe
Source: g9WPdiOMmP.exe, 00000000.00000002.509325402.0000000006F80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs g9WPdiOMmP.exe
Source: g9WPdiOMmP.exe, 00000000.00000002.500932580.0000000000C80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs g9WPdiOMmP.exe
Source: g9WPdiOMmP.exe	Binary or memory string: OriginalFilenameDirectoryStr.exe2 vs g9WPdiOMmP.exe

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

Section loaded: onecoreuapcommonproxystub.dll

Jump to behavior

Source: g9WPdiOMmP.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: PCgOBjKh.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: g9WPdiOMmP.exe	Virustotal: Detection: 56%
Source: g9WPdiOMmP.exe	Metadefender: Detection: 22%
Source: g9WPdiOMmP.exe	ReversingLabs: Detection: 43%

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

File read: C:\Users\user\Desktop\g9WPdiOMmP.exe

Jump to behavior

Source: g9WPdiOMmP.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\g9WPdiOMmP.exe "C:\Users\user\Desktop\g9WPdiOMmP.exe"
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g9WPdiOMmP.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PCgOBjKh.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PCgOBjKh" /XML "C:\Users\user\AppData\Local\Temp\tmp502A.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE651.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpEF7A.tmp
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g9WPdiOMmP.exe	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PCgOBjKh.exe	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PCgOBjKh" /XML "C:\Users\user\AppData\Local\Temp\tmp502A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE651.tmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpEF7A.tmp

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

File created: C:\Users\user\AppData\Roaming\PCgOBjKh.exe

Jump to behavior

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

File created: C:\Users\user\AppData\Local\Temp\tmp502A.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@26/22@0/1

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 15.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_01
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Mutant created: \Sessions\1\BaseNamedObjects\YBhJWSVHJNzDGrdhmB
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{90fb62d1-4695-45ee-832f-da5694a04e39}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: g9WPdiOMmP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: g9WPdiOMmP.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: dhcpmon.exe, 00000017.00000000.522377579.0000000000642000.00000002.00000001.01000000.0000000B.sdmp, dhcpmon.exe, 00000019.00000002.536255616.0000000000792000.00000002.00000001.01000000.0000000B.sdmp, dhcpmon.exe.15.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.701504359.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe, 00000019.00000002.536255616.0000000000792000.00000002.00000001.01000000.0000000B.sdmp, dhcpmon.exe.15.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.RegSvcs.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.RegSvcs.exe.400000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027BF790 pushad ; iretd	0_2_027BFA91
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027B4210 push esp; retf 0004h	0_2_027B4212
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027B40D9 push eax; retf 0004h	0_2_027B40DA
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027B44C0 push edi; retf 0004h	0_2_027B44C2
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027B453F push edi; retf 0004h	0_2_027B4542
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027B6971 push 9F7004CAh; retf	0_2_027B6976
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027B6940 push 9DB004CAh; retf	0_2_027B694E
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027BB2EF pushfd ; retf 0004h	0_2_027BB2F2
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027BB351 pushfd ; retf 0004h	0_2_027BB352
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Code function: 0_2_027BB417 pushfd ; retf 0004h	0_2_027BB41A

Source: initial sample	Static PE information: section name: .text entropy: 7.86281198011
Source: initial sample	Static PE information: section name: .text entropy: 7.86281198011

Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.0.RegSvcs.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.0.RegSvcs.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 15.0.RegSvcs.exe.400000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.0.RegSvcs.exe.400000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	File created: C:\Users\user\AppData\Roaming\PCgOBjKh.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PCgOBjKh" /XML "C:\Users\user\AppData\Local\Temp\tmp502A.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.503987328.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.502039179.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g9WPdiOMmP.exe PID: 7056, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: g9WPdiOMmP.exe, 00000000.00000002.503987328.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, g9WPdiOMmP.exe, 00000000.00000002.502039179.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: g9WPdiOMmP.exe, 00000000.00000002.503987328.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, g9WPdiOMmP.exe, 00000000.00000002.502039179.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe TID: 7060	Thread sleep time: -45733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe TID: 7084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5156	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5868	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6280	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1842	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2376	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 687

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Thread delayed: delay time: 45733	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: g9WPdiOMmP.exe, 00000000.00000002.502039179.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: g9WPdiOMmP.exe, 00000000.00000002.502039179.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: g9WPdiOMmP.exe, 00000000.00000002.502039179.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: g9WPdiOMmP.exe, 00000000.00000002.502039179.0000000002821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 886008	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g9WPdiOMmP.exe
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PCgOBjKh.exe
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g9WPdiOMmP.exe	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PCgOBjKh.exe	Jump to behavior

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g9WPdiOMmP.exe	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PCgOBjKh.exe	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PCgOBjKh" /XML "C:\Users\user\AppData\Local\Temp\tmp502A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE651.tmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpEF7A.tmp

Source: RegSvcs.exe, 0000000F.00000002.703664629.0000000003051000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.702752905.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.706128660.000000000601B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 0000000F.00000002.702752905.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagernHa

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Users\user\Desktop\g9WPdiOMmP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\g9WPdiOMmP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation

Source: C:\Users\user\Desktop\g9WPdiOMmP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bf07fe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bfb071.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.6110000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39acb08.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39e1328.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.6114629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bfb071.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.6110000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bf563b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.701504359.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g9WPdiOMmP.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4472, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: g9WPdiOMmP.exe, 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000F.00000002.701504359.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000F.00000002.701504359.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000F.00000002.701504359.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..

Yara detected Nanocore RAT

Source: Yara match	File source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bf07fe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bfb071.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.6110000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39acb08.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39e1328.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.6114629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bfb071.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.6110000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39e1328.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.3bf563b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39764e8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g9WPdiOMmP.exe.39acb08.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.701504359.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g9WPdiOMmP.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4472, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	212 Process Injection	2 Masquerading	21 Input Capture	21 Security Software Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	212 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	13 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 DLL Side-Loading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
g9WPdiOMmP.exe	56%	Virustotal		Browse
g9WPdiOMmP.exe	23%	Metadefender		Browse
g9WPdiOMmP.exe	44%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
g9WPdiOMmP.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\PCgOBjKh.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\PCgOBjKh.exe	23%	Metadefender		Browse
C:\Users\user\AppData\Roaming\PCgOBjKh.exe	44%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Unpacked PE Files

Source	Detection	Scanner	Label	Download
15.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
15.2.RegSvcs.exe.6110000.8.unpack	100%	Avira	TR/NanoCore.fadte	Download File
15.0.RegSvcs.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
15.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
15.0.RegSvcs.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
15.0.RegSvcs.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
15.0.RegSvcs.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
184.75.223.235	7%	Virustotal		Browse
184.75.223.235	100%	Avira URL Cloud	malware
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
184.75.223.235	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	g9WPdiOMmP.exe, 00000000.00000002.503987328.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, g9WPdiOMmP.exe, 00000000.00000002.502039179.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	g9WPdiOMmP.exe, 00000000.00000002.508572949.0000000006882000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
184.75.223.235	unknown	Canada		32489	AMANAHA-NEWCA	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	623535
Start date and time: 10/05/202216:26:30	2022-05-10 16:26:30 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	g9WPdiOMmP.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@26/22@0/1
EGA Information:	Successful, ratio: 80%
HDC Information:	Successful, ratio: 1.2% (good quality ratio 0.8%) Quality average: 55.8% Quality standard deviation: 41.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.152.110.14, 52.242.101.226, 20.223.24.244, 40.125.122.176
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target dhcpmon.exe, PID 6268 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:27:58	API Interceptor	1x Sleep call for process: g9WPdiOMmP.exe modified
16:28:06	API Interceptor	56x Sleep call for process: powershell.exe modified
16:28:19	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
16:28:23	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" s>$(Arg0)
16:28:25	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
16:28:25	API Interceptor	665x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
184.75.223.235	B2D2CD90962ED5916301604F6F423263C8F73A45DADAA.exe	Get hash	malicious	Browse
184.75.223.235	4682C806DD41AACCBB4F8BF3EAD4FD322C302F334E3ED.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMANAHA-NEWCA	SecuriteInfo.com.Variant.Zusy.422205.9544.exe	Get hash	malicious	Browse	184.75.221.171
	SecuriteInfo.com.Variant.Zusy.422205.28942.exe	Get hash	malicious	Browse	184.75.221.171
	Impgmovsnhntqqtzhgkvtxrejstmfscail.exe	Get hash	malicious	Browse	184.75.221.171
	SecuriteInfo.com.Trojan.MalPack.18815.exe	Get hash	malicious	Browse	184.75.221.171
	Yddkxdueywhkiefjlsbskdfpfrlwnkzdin.exe	Get hash	malicious	Browse	184.75.221.171
	Gp2M1wXObH.exe	Get hash	malicious	Browse	184.75.221.171
	Fkskaogxaausqqhwhvbrltmsasszsywdva.exe	Get hash	malicious	Browse	184.75.221.171
	Hngvotwwxqrrqpozdzjwcpzajkixghmqfz.exe	Get hash	malicious	Browse	184.75.221.171
	harm	Get hash	malicious	Browse	104.254.94.141
	oJ3S21d1rf	Get hash	malicious	Browse	162.219.177.102
	mirai.arm	Get hash	malicious	Browse	162.219.177.248
	B2D2CD90962ED5916301604F6F423263C8F73A45DADAA.exe	Get hash	malicious	Browse	184.75.223.235
	4682C806DD41AACCBB4F8BF3EAD4FD322C302F334E3ED.exe	Get hash	malicious	Browse	184.75.223.235
	WXTSOH1fd2	Get hash	malicious	Browse	184.75.219.227
	Mtxymgiuvaqhsnvczideuhnykrfdxiosoz.exe	Get hash	malicious	Browse	184.75.221.171
	t4hwIvRdgG.exe	Get hash	malicious	Browse	184.75.221.171
	RSec.x86	Get hash	malicious	Browse	104.245.146.193
	Facturas_cliente900693_21.exe	Get hash	malicious	Browse	172.94.127.185
	arBO1d8fBL.exe	Get hash	malicious	Browse	104.254.90.235
	credit.exe	Get hash	malicious	Browse	104.254.90.235

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	f8keZ8QG3Lw4Vvy.exe	Get hash	malicious	Browse
	Request for Quotation.exe	Get hash	malicious	Browse
	Purchase Order.exe	Get hash	malicious	Browse
	Profoma Invoice.exe	Get hash	malicious	Browse
	NEW Order.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetectNet.01.25700.exe	Get hash	malicious	Browse
	Payment Details xls.exe	Get hash	malicious	Browse
	debit note#U6a21#U677f#Uff08USD75455.92#U3001USD200000#U3001USD150124.53#Uff09.exe	Get hash	malicious	Browse
	Request for Quotation (2).exe	Get hash	malicious	Browse
	VEL-P01225013B.exe	Get hash	malicious	Browse
	SOA.exe	Get hash	malicious	Browse
	Dq6Qlhi724.exe	Get hash	malicious	Browse
	VEL-P01225013B.exe	Get hash	malicious	Browse
	TT Copy.exe	Get hash	malicious	Browse
	RFQ#1952022(BOQ-IT-Equipment.pdf.exe	Get hash	malicious	Browse
	PO#7A68D20.exe	Get hash	malicious	Browse
	Bank Slip.exe	Get hash	malicious	Browse
	outstanding invoices.exe	Get hash	malicious	Browse
	Bank slip 0003.exe	Get hash	malicious	Browse
	Antawise.pdf.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45152
Entropy (8bit):	6.149629800481177
Encrypted:	false
SSDEEP:	768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
MD5:	2867A3817C9245F7CF518524DFD18F28
SHA1:	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
SHA-256:	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
SHA-512:	7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: f8keZ8QG3Lw4Vvy.exe, Detection: malicious, Browse Filename: Request for Quotation.exe, Detection: malicious, Browse Filename: Purchase Order.exe, Detection: malicious, Browse Filename: Profoma Invoice.exe, Detection: malicious, Browse Filename: NEW Order.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetectNet.01.25700.exe, Detection: malicious, Browse Filename: Payment Details xls.exe, Detection: malicious, Browse Filename: debit note#U6a21#U677f#Uff08USD75455.92#U3001USD200000#U3001USD150124.53#Uff09.exe, Detection: malicious, Browse Filename: Request for Quotation (2).exe, Detection: malicious, Browse Filename: VEL-P01225013B.exe, Detection: malicious, Browse Filename: SOA.exe, Detection: malicious, Browse Filename: Dq6Qlhi724.exe, Detection: malicious, Browse Filename: VEL-P01225013B.exe, Detection: malicious, Browse Filename: TT Copy.exe, Detection: malicious, Browse Filename: RFQ#1952022(BOQ-IT-Equipment.pdf.exe, Detection: malicious, Browse Filename: PO#7A68D20.exe, Detection: malicious, Browse Filename: Bank Slip.exe, Detection: malicious, Browse Filename: outstanding invoices.exe, Detection: malicious, Browse Filename: Bank slip 0003.exe, Detection: malicious, Browse Filename: Antawise.pdf.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g9WPdiOMmP.exe.log

Download File

Process:	C:\Users\user\Desktop\g9WPdiOMmP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22152
Entropy (8bit):	5.600629014897279
Encrypted:	false
SSDEEP:	384:FtCDLq0bbii/H9kzO3ISYZEjultI/l7nvjg3hIn8ML+SfmAV7chk+5ZQvnI++t0:xi/d5YpKClts166XKmp4+H
MD5:	350D47B1EB9FFC9B3AC2BAD168B795DC
SHA1:	C31C84B9EB7960212073775294774248D91E903A
SHA-256:	CB96F9DE8E7FEF846033381DCC14423C884B0965A5347EE086A521A90948FD88
SHA-512:	A92ABE5F100D07FF6B6BB47C0D50335BF285E660F4687983E96A5164A3F7307FF1DC649FAA78E93CDAC9C0DF4BDEC7B499A1549EFD32943D0643C65C0573F5C0
Malicious:	false
Preview:	@...e...........[.......H.~...............+..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fu5c34yp.wy0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krjt5ohn.f0l.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kv0ftztp.bvm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_so3a4bls.ivo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp502A.tmp

Download File

Process:	C:\Users\user\Desktop\g9WPdiOMmP.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1599
Entropy (8bit):	5.132854386445681
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtKxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTev
MD5:	8CB6DA50A3A05F3E30D5FBECA9ED8386
SHA1:	61AD8CC8EE6E5C2DE8893DDE2FDF078958C5A0ED
SHA-256:	E6EB520F4AF34ADECA6094C327F2F5336DC6ABCBA1C5BEE926D2849305D03028
SHA-512:	AD000B811CF463BD8B14B947DD6C805862382CA49388440341137A2C9DF781E17FF099F8B912586A7CE1556131D956A3CA648E39883AF6345808BCAB062B2FC5
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpE651.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.135668813522653
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mXxtn:cbk4oL600QydbQxIYODOLedq3ZXj
MD5:	8CAD1B41587CED0F1E74396794F31D58
SHA1:	11054BF74FCF5E8E412768035E4DAE43AA7B710F
SHA-256:	3086D914F6B23268F8A12CB1A05516CD5465C2577E1D1E449F1B45C8E5E8F83C
SHA-512:	99C2EF89029DE51A866DF932841684B7FC912DF21E10E2DD0D09E400203BBDC6CBA6319A31780B7BF8B286D2CEA8EA3FC7D084348BF2F002AB4F5A34218CCBEF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpEF7A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	248
Entropy (8bit):	7.094528505897445
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7r3l3TmKEt5mT1DhFtMhXvvHOxHB3GDq:X4LEnybgCFCtvd7bl3ThE4T19FtMhXvs
MD5:	061E700FE27D852034A5A44BF5985CCF
SHA1:	15B072DE6D6FDD92AE36F074345FA41985833E8D
SHA-256:	4BBB88AF530693EB4A710B0591D4BAF585837242C5690F5A821BF2FC9CC587CD
SHA-512:	CF6C5458AB50C859740490985D1E7E887D1116F3FA947FF2EC49AF9997A42F3402C63EF42B93498544195D9859FBB19CCC295966564B30F5ADB4A36D4E8886C6
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..O*V..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.w

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:NJl:R
MD5:	CD7C5012299C4E12645782EBBA5F15CC
SHA1:	0C1DAB18BEAF663A2561EBB77D817F085239C862
SHA-256:	B91EE3F0082FECF09C0C5203F1444E9BFAACDD14EEC73967903DBA8A86D67633
SHA-512:	B7191A9AE0DAE7E55DD3D56E0FAE5733B7905982DFCF8C99DBF2F9C86242B8497CCC598ABAE59E5EF6AEC093F52AF01AA30F27D0BF050C3DBFA9CC8F8C9D6355
Malicious:	true
Preview:	.T...2.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.830795005765378
Encrypted:	false
SSDEEP:	3:oMty8WddSWA1KMNn:oMLW6WA1j
MD5:	08E799E8E9B4FDA648F2500A40A11933
SHA1:	AC76B5E20DED247803448A2F586731ED7D84B9F3
SHA-256:	D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
SHA-512:	5C5701A86156D573BE274E73615FD6236AC89630714863A4CB2639EEC8EC1BE746839EBF8A9AEBA0A9BE326AF6FA02D8F9BD7A93D3FFB139BADE945572DF5FE9
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Users\user\AppData\Roaming\PCgOBjKh.exe

Download File

Process:	C:\Users\user\Desktop\g9WPdiOMmP.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	550400
Entropy (8bit):	7.853052744252165
Encrypted:	false
SSDEEP:	12288:2zAoru8S+bng0orc61SJcDwW0PWEtFhL1DoQ4L:2x5crcncDuxDa
MD5:	917E0E9EAFC6CDA73BFF5D17CE4086CC
SHA1:	4E89EA04A18E77490366413E1FD00249B4ECCED5
SHA-256:	9E786734789A58B02FA6D10321F91833970CC44D86DB086A4B456AA1F7D7F18B
SHA-512:	4918F789103FA6E76EA4D89ADB622D647F31C7AE167C99F8BD9EAC27AE554B9BA5C51C4136B5F0017E4EEABD8D3B86F8FE58E40921B94A6B1A3C8BD8026FD1F4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 23%, Browse Antivirus: ReversingLabs, Detection: 44%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ntxb..............0..\...........z... ........@.. ....................................@..................................y..K.................................................................................... ............... ..H............text...4Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................z......H............X......v....!...V...........................................0..j.......8W.......E........8....8....8.......}....8.......}....8.......... ....(....9....& ....8.............8.......0..e.......88.......E....C...8>......}.... ....(....9....&8........8.............8....8....8.......}....8..........0..e.......8,.......E....6...81......}....8.......}....8.............8........8......*8.... ....(....9....&8........0..j.......8@.......E........8........83......}.... ...

C:\Users\user\AppData\Roaming\PCgOBjKh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\g9WPdiOMmP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20220510\PowerShell_transcript.468325.gn1g3Det.20220510162806.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5791
Entropy (8bit):	5.395004252689085
Encrypted:	false
SSDEEP:	96:BZv/0NUqDo1ZFZO/0NUqDo1ZbcC0jZD/0NUqDo1ZlpkkVZe:W
MD5:	A2A93E74A1BC3D62D3C9C23959056338
SHA1:	4869FBF2D1B141C36CB2822C0C9828667A85BB5F
SHA-256:	3DEFA30C7A1F90FCAE6992E4874939C2E9B0F97D2F4B333F049D3B8B98A46365
SHA-512:	0C479A6C69E7A83A396101589614539172334EE405C7E453EA80A17B77C6067F86960E2F6ABEEA56E60E6A19C8D83467210C40916B658359C511730FE66E2286
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220510162808..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 468325 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\PCgOBjKh.exe..Process ID: 2176..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220510162808..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\PCgOBjKh.exe..********************..Windows PowerShell transcript start..Start time: 20220510163138..Username: computer\user..RunAs User: computer\alf

C:\Users\user\Documents\20220510\PowerShell_transcript.468325.rZjLi+wd.20220510162803.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5767
Entropy (8bit):	5.384831662667496
Encrypted:	false
SSDEEP:	96:BZs/0N0EFqDo1ZfEkZQ/0N0EFqDo1Zu4EH+EHQEHjZQ/0N0EFqDo1Zr5EHAEHAEm:S
MD5:	C781F61924BCFFA01E599F41A02E2639
SHA1:	4F3868B92C266642DB30E2C533C8C2E0A71B72DC
SHA-256:	22E3B965505FC316B0922CA94D70D731495016E54308AE636F116BC46B459520
SHA-512:	06C10BA7E109AAF25A1D915D1D03A65535A94AF3C8D64B8ED092EF38F5FB15D42BAD65DD3D86F81E22DCBF9BB147ADDA1D847D2E69D914075D9F6C8705F91CED
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220510162805..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 468325 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\g9WPdiOMmP.exe..Process ID: 6400..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220510162805..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\g9WPdiOMmP.exe..********************..Windows PowerShell transcript start..Start time: 20220510163125..Username: computer\user..RunAs User: computer\user..Configu

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.44831826838854
Encrypted:	false
SSDEEP:	24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
MD5:	1AEB3A784552CFD2AEDEDC1D43A97A4F
SHA1:	804286AB9F8B3DE053222826A69A7CDA3492411A
SHA-256:	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
SHA-512:	5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.853052744252165
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	g9WPdiOMmP.exe
File size:	550400
MD5:	917e0e9eafc6cda73bff5d17ce4086cc
SHA1:	4e89ea04a18e77490366413e1fd00249b4ecced5
SHA256:	9e786734789a58b02fa6d10321f91833970cc44d86db086a4b456aa1f7d7f18b
SHA512:	4918f789103fa6e76ea4d89adb622d647f31c7ae167c99f8bd9eac27ae554b9ba5c51c4136b5f0017e4eeabd8d3b86f8fe58e40921b94a6b1a3c8bd8026fd1f4
SSDEEP:	12288:2zAoru8S+bng0orc61SJcDwW0PWEtFhL1DoQ4L:2x5crcncDuxDa
TLSH:	F4C4121DF7EFD512D1A81A77D0D5550403B59982BA13EB2B2CCB328619037DF8E82F9A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ntxb..............0..\...........z... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x487a2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6278746E [Mon May 9 01:54:54 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x879e0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x88000	0x5b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x85a34	0x85c00	False	0.923364485981	data	7.86281198011	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x88000	0x5b8	0x600	False	0.425130208333	data	4.09213985155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x880a0	0x32c	data
RT_MANIFEST	0x883cc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2014
Assembly Version	1.0.0.0
InternalName	DirectoryStr.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Oversikt
ProductVersion	1.0.0.0
FileDescription	Oversikt
OriginalFilename	DirectoryStr.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.5184.75.223.2354980938112025019 05/10/22-16:29:27.325942	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49809	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354981238112025019 05/10/22-16:29:39.486310	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49812	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354980538112025019 05/10/22-16:29:13.562263	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49805	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354978138112025019 05/10/22-16:28:27.857476	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49781	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354978938112816766 05/10/22-16:28:38.861696	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49789	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354979938112816766 05/10/22-16:28:53.595561	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49799	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354980638112816766 05/10/22-16:29:21.726244	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49806	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354980138112816718 05/10/22-16:28:59.924134	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49801	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354980338112025019 05/10/22-16:29:06.297654	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49803	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354979938112025019 05/10/22-16:28:51.974527	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49799	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354981338112025019 05/10/22-16:29:55.677533	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49813	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354978938112025019 05/10/22-16:28:37.152636	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49789	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354980338112816766 05/10/22-16:29:08.157409	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49803	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354980538112816766 05/10/22-16:29:14.913941	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49805	3811	192.168.2.5	184.75.223.235
184.75.223.235192.168.2.53811498092841753 05/10/22-16:29:27.684225	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	3811	49809	184.75.223.235	192.168.2.5
192.168.2.5184.75.223.2354978138112816766 05/10/22-16:28:32.594863	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49781	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354981238112816766 05/10/22-16:29:41.277572	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49812	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354979238112025019 05/10/22-16:28:44.198677	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49792	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354980138112025019 05/10/22-16:28:59.097237	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49801	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354980638112025019 05/10/22-16:29:19.892387	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49806	3811	192.168.2.5	184.75.223.235
184.75.223.235192.168.2.53811498132841753 05/10/22-16:29:56.405286	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	3811	49813	184.75.223.235	192.168.2.5
192.168.2.5184.75.223.2354981138112816766 05/10/22-16:29:34.142910	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49811	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354981138112025019 05/10/22-16:29:32.402001	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49811	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354979238112816766 05/10/22-16:28:45.973981	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49792	3811	192.168.2.5	184.75.223.235
192.168.2.5184.75.223.2354980138112816766 05/10/22-16:29:01.025187	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49801	3811	192.168.2.5	184.75.223.235

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 10, 2022 16:28:26.845132113 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:27.202249050 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:27.202400923 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:27.857475996 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:28.221658945 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:28.223398924 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:28.782270908 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:28.782347918 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:29.143345118 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:29.143492937 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:29.742455006 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:31.569048882 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:31.971219063 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:31.971390009 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:31.971486092 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:32.330822945 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:32.330950022 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:32.331049919 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:32.331279039 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:32.331424952 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:32.331490993 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:32.594862938 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:32.689232111 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:32.689371109 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:32.690958023 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:32.691032887 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:32.691170931 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:32.691215038 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:32.691410065 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:32.691453934 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:32.691694021 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:32.691746950 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:32.691957951 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:32.692007065 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:32.692084074 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:32.692126036 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:32.692255020 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:32.692301989 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:32.735924006 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.046914101 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.046993017 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.049067974 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.049170971 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.049310923 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.049370050 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.049529076 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.049624920 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.049778938 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.049843073 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.050077915 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.050137043 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.050354004 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.050406933 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.050421953 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.050450087 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.050662041 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.050725937 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.050970078 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.051031113 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.051129103 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.051193953 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.051346064 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.051405907 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.051522970 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.051585913 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.051774025 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.051834106 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.052052021 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.052109003 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:33.052573919 CEST	3811	49781	184.75.223.235	192.168.2.5
May 10, 2022 16:28:33.052637100 CEST	49781	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:36.795509100 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:37.151928902 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:37.152060032 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:37.152636051 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:37.516292095 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:37.516625881 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:37.873346090 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:37.873433113 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:38.437017918 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:38.437207937 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:38.861453056 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:38.861551046 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:38.861696005 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.218859911 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.218888044 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.218974113 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.219136953 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.219460011 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.219510078 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.575650930 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.576105118 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.576179981 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.576320887 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.576680899 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.576746941 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.576977015 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.577106953 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.577171087 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.577306986 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.577697039 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.577764034 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.760010004 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.933095932 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.933176041 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.933263063 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.933320045 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.933475971 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.933528900 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.933777094 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.933826923 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.933934927 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.933989048 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.934545040 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.934607983 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.934662104 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.934711933 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.934827089 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.934880018 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.935554981 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.935602903 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.935621977 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.935655117 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.935687065 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.935736895 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.935761929 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.935810089 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.935935020 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.935987949 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.936160088 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.936213017 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.936420918 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.936486006 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:39.936533928 CEST	3811	49789	184.75.223.235	192.168.2.5
May 10, 2022 16:28:39.936587095 CEST	49789	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:43.839131117 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:44.197614908 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:44.197729111 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:44.198677063 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:44.567528963 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:44.589246988 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:44.945873022 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:44.947341919 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:45.567727089 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:45.567833900 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:45.973767996 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:45.973803043 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:45.973980904 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:46.330799103 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:46.330857038 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:46.331003904 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:46.331137896 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:46.334861994 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:46.334976912 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:46.688137054 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:46.688159943 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:46.688257933 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:46.688621044 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:46.688641071 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:46.688736916 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:46.692626953 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:46.692837000 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:46.692961931 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:46.693062067 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:46.693550110 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:46.693653107 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:46.857786894 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:47.046077013 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.046112061 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.046128035 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.046144962 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.046205997 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.046227932 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.046526909 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.046729088 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.052221060 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:47.055644989 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.055843115 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.056114912 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.056370974 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.056569099 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.056833029 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.057163954 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.057229042 CEST	3811	49792	184.75.223.235	192.168.2.5
May 10, 2022 16:28:47.060009956 CEST	49792	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:51.259126902 CEST	49799	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:51.617747068 CEST	3811	49799	184.75.223.235	192.168.2.5
May 10, 2022 16:28:51.630599022 CEST	49799	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:51.974526882 CEST	49799	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:52.337033033 CEST	3811	49799	184.75.223.235	192.168.2.5
May 10, 2022 16:28:52.346541882 CEST	49799	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:52.704189062 CEST	3811	49799	184.75.223.235	192.168.2.5
May 10, 2022 16:28:52.705363035 CEST	49799	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:53.333272934 CEST	3811	49799	184.75.223.235	192.168.2.5
May 10, 2022 16:28:53.595561028 CEST	49799	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:54.153141022 CEST	3811	49799	184.75.223.235	192.168.2.5
May 10, 2022 16:28:54.401571989 CEST	49799	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:54.639955044 CEST	49799	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:54.852906942 CEST	3811	49799	184.75.223.235	192.168.2.5
May 10, 2022 16:28:54.852945089 CEST	3811	49799	184.75.223.235	192.168.2.5
May 10, 2022 16:28:54.853024960 CEST	49799	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:54.853080034 CEST	49799	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:58.739774942 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:59.096386909 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:28:59.096502066 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:59.097237110 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:59.475116014 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:28:59.514619112 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:59.556997061 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:28:59.921241999 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:28:59.924134016 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:00.533493042 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:00.586229086 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:01.025105000 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.025130987 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.025187016 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:01.027970076 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:01.383153915 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.383483887 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.383553982 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:01.387140989 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.387375116 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.387444019 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:01.741722107 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.741790056 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.741916895 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:01.742224932 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.742286921 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.742353916 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:01.745326996 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.745572090 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.745656967 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:01.745877028 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.746081114 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:01.746140003 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:01.844290018 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.103935957 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.104054928 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.104176044 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.104234934 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.104415894 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.104480028 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.104655981 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.104717970 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.104907036 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.104963064 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.105159044 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.105225086 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.105293989 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.105346918 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.105495930 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.105546951 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.105838060 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.105884075 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.106015921 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.106065989 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.106298923 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.106380939 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.106494904 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.106547117 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.119304895 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.119365931 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.119414091 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.119456053 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.119662046 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.119716883 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:02.119915009 CEST	3811	49801	184.75.223.235	192.168.2.5
May 10, 2022 16:29:02.119967937 CEST	49801	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:05.941401005 CEST	49803	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:06.296601057 CEST	3811	49803	184.75.223.235	192.168.2.5
May 10, 2022 16:29:06.296750069 CEST	49803	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:06.297653913 CEST	49803	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:06.665400982 CEST	3811	49803	184.75.223.235	192.168.2.5
May 10, 2022 16:29:06.666714907 CEST	49803	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:07.028254032 CEST	3811	49803	184.75.223.235	192.168.2.5
May 10, 2022 16:29:07.028548956 CEST	49803	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:07.584038973 CEST	3811	49803	184.75.223.235	192.168.2.5
May 10, 2022 16:29:08.157408953 CEST	49803	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:08.784895897 CEST	3811	49803	184.75.223.235	192.168.2.5
May 10, 2022 16:29:08.785131931 CEST	49803	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:09.147540092 CEST	49803	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:09.210272074 CEST	3811	49803	184.75.223.235	192.168.2.5
May 10, 2022 16:29:09.210433006 CEST	3811	49803	184.75.223.235	192.168.2.5
May 10, 2022 16:29:09.210496902 CEST	49803	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:09.210537910 CEST	49803	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:13.182900906 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:13.560934067 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:13.561207056 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:13.562263012 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:13.932467937 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:13.936888933 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:14.293886900 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:14.375268936 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:14.481587887 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:14.913721085 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:14.913929939 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:14.913940907 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:14.913986921 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:15.274736881 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:15.276021957 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:15.276071072 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:15.276156902 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:15.276355028 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:15.276439905 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:15.516345978 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:15.635986090 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:15.636286020 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:15.636358023 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:15.636617899 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:15.636668921 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:15.636863947 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:15.636928082 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:15.637012959 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:15.637056112 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:15.637262106 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:15.637305975 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:15.639410019 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:15.639441967 CEST	3811	49805	184.75.223.235	192.168.2.5
May 10, 2022 16:29:15.639543056 CEST	49805	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:19.533241034 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:19.889780045 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:19.891540051 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:19.892386913 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:20.254832983 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:20.267510891 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:20.625591040 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:20.625691891 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:21.262227058 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:21.296505928 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:21.726130962 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:21.726243973 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:21.728410006 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:21.728523016 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.094635963 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.096276045 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.097255945 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.097354889 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.098579884 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.099984884 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.481766939 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.481818914 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.481832027 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.481847048 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.481858969 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.481870890 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.481889009 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.481901884 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.482049942 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.728046894 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.857404947 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.857634068 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.857801914 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.857845068 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.857906103 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.859786034 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.859807014 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.859869957 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.859896898 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.859987020 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.860028982 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.860085011 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.860357046 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.860410929 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.860414028 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.860455990 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.860719919 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.860814095 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.860970974 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.861027002 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:22.861188889 CEST	3811	49806	184.75.223.235	192.168.2.5
May 10, 2022 16:29:22.861242056 CEST	49806	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:26.960374117 CEST	49809	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:27.324877977 CEST	3811	49809	184.75.223.235	192.168.2.5
May 10, 2022 16:29:27.325002909 CEST	49809	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:27.325942039 CEST	49809	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:27.684225082 CEST	3811	49809	184.75.223.235	192.168.2.5
May 10, 2022 16:29:27.876357079 CEST	49809	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:28.023672104 CEST	49809	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:28.238514900 CEST	3811	49809	184.75.223.235	192.168.2.5
May 10, 2022 16:29:28.238667011 CEST	49809	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:32.041819096 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:32.401284933 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:32.401385069 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:32.402000904 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:32.766379118 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:32.766653061 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:33.124823093 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:33.125009060 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:33.692522049 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:33.695050955 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:34.142755032 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.142873049 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.142910004 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:34.142935038 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:34.508184910 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.508431911 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.508539915 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:34.508605957 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.508889914 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.508943081 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:34.866277933 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.866446972 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.866539955 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:34.866662979 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.867084026 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.867145061 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:34.867489100 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.867535114 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.867558956 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.867587090 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:34.867784977 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:34.867841005 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.111757040 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.227725983 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.227788925 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.227916956 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.227953911 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.228161097 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.228203058 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.228434086 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.228477001 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.228645086 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.228687048 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.229099035 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.229155064 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.229203939 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.229243994 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.229273081 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.229310036 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.229500055 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.229537964 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.229778051 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.229819059 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.230050087 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.230101109 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.230431080 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.230457067 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.230487108 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.230520010 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.230676889 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.230731964 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.230892897 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.230941057 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:35.231194973 CEST	3811	49811	184.75.223.235	192.168.2.5
May 10, 2022 16:29:35.231247902 CEST	49811	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:39.128696918 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:39.485671043 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:39.485819101 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:39.486310005 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:39.849215031 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:39.849870920 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:40.207390070 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:40.252456903 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:40.297899961 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:40.860321999 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:40.860450983 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:41.277411938 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.277439117 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.277571917 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:41.279611111 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:41.635396957 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.635560989 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.635700941 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:41.637134075 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.637394905 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.637644053 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:41.993662119 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.993715048 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.993787050 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:41.993937016 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.994208097 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.994260073 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:41.995256901 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.995497942 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.995610952 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:41.995744944 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.996223927 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:41.996275902 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.237962008 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.352332115 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.352441072 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.352510929 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.352540016 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.352641106 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.352756023 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.352938890 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.353009939 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.353148937 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.353209019 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.353471994 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.353542089 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.353547096 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.353634119 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.353786945 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.353960991 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.354094028 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.354192019 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.354316950 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.354397058 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.354765892 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.354790926 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.354842901 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.354917049 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.354967117 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.355036020 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.355233908 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.355314016 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.355439901 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.355530024 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:42.355675936 CEST	3811	49812	184.75.223.235	192.168.2.5
May 10, 2022 16:29:42.355779886 CEST	49812	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:46.254276037 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:49.268829107 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:55.363179922 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:55.676364899 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:55.676502943 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:55.677532911 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:56.044949055 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:56.045176983 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:56.405286074 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:56.566340923 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:56.926994085 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:56.927891016 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:57.384985924 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:57.385236979 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:57.386219978 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:57.748012066 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:57.748265982 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:57.748326063 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:57.748573065 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:57.748770952 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:57.748814106 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.111959934 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.112207890 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.112236023 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.112261057 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.112262964 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.112318993 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.112551928 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.112829924 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.112881899 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.112883091 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.113181114 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.113254070 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.473120928 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.473227978 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.473339081 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.473500013 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.473715067 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.473773956 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.473943949 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.474215984 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.474271059 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.474338055 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.474558115 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.474608898 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.474828005 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.475116014 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.475169897 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.475339890 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.475445032 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.475487947 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.484011889 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.484220028 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.484318972 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.484411001 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.484780073 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.484853983 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.833782911 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.833811045 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.833842039 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.833909988 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.834253073 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.834309101 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.834497929 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.834513903 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.834539890 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.834558010 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.834896088 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.835089922 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.835124969 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.835700035 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.835758924 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.835956097 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.836137056 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.836204052 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.836371899 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.836776972 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.836813927 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.836853981 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.836886883 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.836932898 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.837213039 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.837462902 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.837521076 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.837693930 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.837863922 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.837912083 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.838418961 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.838768959 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.838824034 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.838973999 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.839250088 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.839308023 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.844846010 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.844954967 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.845066071 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.845294952 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.845503092 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.845561981 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.847310066 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.847502947 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.847569942 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:58.847739935 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.847978115 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:58.848030090 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.194721937 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.194977999 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.195065975 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.195096970 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.195463896 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.195529938 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.195656061 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.196032047 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.196109056 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.196113110 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.196286917 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.196342945 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.196505070 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.196742058 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.196803093 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.196989059 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.197144985 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.197206974 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.197422028 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.197803974 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.197858095 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.197906017 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.198179960 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.198240042 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.198630095 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.198652983 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.198721886 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.198728085 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.199347973 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.199429035 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.199455976 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.199484110 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.199534893 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.199575901 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.200344086 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.200387001 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.200419903 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.200428963 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.200460911 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.200670958 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.200903893 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.200973988 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.201049089 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.201303005 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.201349020 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.201500893 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.201749086 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.201798916 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.202003956 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.202092886 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.202135086 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.202379942 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.202578068 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.202637911 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.202857018 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.203217983 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.203249931 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.203270912 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.203493118 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.203543901 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.203849077 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.204013109 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.204056978 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.204205990 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.204600096 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.204649925 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.204659939 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.204854965 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.204906940 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.205096960 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.205372095 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.205431938 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.205600023 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.254050016 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.555932999 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.556015015 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.556026936 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.556057930 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.556303024 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.556365967 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.556545019 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.556600094 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.557929993 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.558012009 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.558161974 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.558212042 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.558377028 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.558429003 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.558629036 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.558691025 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.558903933 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.558962107 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.559120893 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.559176922 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.560152054 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.560231924 CEST	49813	3811	192.168.2.5	184.75.223.235
May 10, 2022 16:29:59.560379028 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.560445070 CEST	3811	49813	184.75.223.235	192.168.2.5
May 10, 2022 16:29:59.560483932 CEST	49813	3811	192.168.2.5	184.75.223.235

Target ID:	0
Start time:	16:27:41
Start date:	10/05/2022
Path:	C:\Users\user\Desktop\g9WPdiOMmP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\g9WPdiOMmP.exe"
Imagebase:	0x430000
File size:	550400 bytes
MD5 hash:	917E0E9EAFC6CDA73BFF5D17CE4086CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.506248784.0000000003976000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.503987328.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.502039179.0000000002821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	16:28:02
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g9WPdiOMmP.exe
Imagebase:	0x230000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	16:28:02
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	16:28:03
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PCgOBjKh.exe
Imagebase:	0x230000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	16:28:03
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	16:28:04
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PCgOBjKh" /XML "C:\Users\user\AppData\Local\Temp\tmp502A.tmp
Imagebase:	0xd10000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	16:28:06
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	16:28:12
Start date:	10/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x160000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	15
Start time:	16:28:14
Start date:	10/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x6b0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.705979579.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.705979579.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000F.00000002.705979579.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.698928477.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.705922722.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.705922722.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000F.00000002.705922722.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.703857941.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000F.00000002.706208848.0000000006110000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.499485179.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.498430598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.499086679.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.498709574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.701504359.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	16
Start time:	16:28:20
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE651.tmp
Imagebase:	0xd10000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	17
Start time:	16:28:21
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	19
Start time:	16:28:22
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpEF7A.tmp
Imagebase:	0xd10000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	20
Start time:	16:28:23
Start date:	10/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
Imagebase:	0xee0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	21
Start time:	16:28:23
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	22
Start time:	16:28:24
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	23
Start time:	16:28:26
Start date:	10/05/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0x640000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Show Windows behavior

Target ID:	24
Start time:	16:28:27
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	25
Start time:	16:28:28
Start date:	10/05/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x790000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	26
Start time:	16:28:29
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Execution Graph

Execution Coverage:	13.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	87
Total number of Limit Nodes:	5

Executed Functions

Function 027B3E58 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027B5451

Memory Dump Source

Source File: 00000000.00000002.501777895.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_g9WPdiOMmP.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: afb02f4ef0f127678103f46ca3adf1cca6ea4d982bbf028a7804c642b71a1d83
Instruction ID: e59f374d814a1d37a022d8ec5c75a916b8ed585e0acb62685f721970201fb8b3
Opcode Fuzzy Hash: afb02f4ef0f127678103f46ca3adf1cca6ea4d982bbf028a7804c642b71a1d83
Instruction Fuzzy Hash: 0241EFB1D00618CBDB25CFA9C8447DEBBB6BF48308F60856AD409BB251DBB46946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 027B539F Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027B5451

Memory Dump Source

Source File: 00000000.00000002.501777895.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_g9WPdiOMmP.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a92df915daa158e7a65458075af7ba48ae2b2617ddcd608d889e092bc219aa8c
Instruction ID: 3380b09bad01034924418860c5d708ebed0d61fbbe7c1de5b2fcbe6370f2096c
Opcode Fuzzy Hash: a92df915daa158e7a65458075af7ba48ae2b2617ddcd608d889e092bc219aa8c
Instruction Fuzzy Hash: D941D1B1C00618CBDB24CFA9C8847DEFBB6BF48308F60856AD409BB251DB756946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 027BA2D4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027BBA9E,?,?,?,?,?), ref: 027BBB5F

Memory Dump Source

Source File: 00000000.00000002.501777895.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_g9WPdiOMmP.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 72949257a7a42d36c0344a58a34e98d62040262e2f03b796abadac074a70c1df
Instruction ID: 7f1bd92e795a4cf40c71c7fa3d00cd9a38b6f913cb6363e990a3c936e8a5238d
Opcode Fuzzy Hash: 72949257a7a42d36c0344a58a34e98d62040262e2f03b796abadac074a70c1df
Instruction Fuzzy Hash: 6421D4B59002089FDB10CFAAD584ADEFBF9EF48324F14845AE915B7210D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 027B8920 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,027B9871,00000800,00000000,00000000), ref: 027B9A82

Memory Dump Source

Source File: 00000000.00000002.501777895.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_g9WPdiOMmP.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d20c9cce41bd9a50d5c4e611206fee228f42c29a5d1cbeabc4665d9368b60713
Instruction ID: b31e089e960c2ff621a8aacab7131b787cf543e4fcded5d8312ea75598195b21
Opcode Fuzzy Hash: d20c9cce41bd9a50d5c4e611206fee228f42c29a5d1cbeabc4665d9368b60713
Instruction Fuzzy Hash: E111C2B6900209DFDB10CF9AC444BDEFBF9AF49624F14842AE629B7200C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 027B9790 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 027B97F6

Memory Dump Source

Source File: 00000000.00000002.501777895.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_g9WPdiOMmP.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ff1461aff689b2868b01f377f744557609f0c3783bdabd773c5d65b6fbd702a7
Instruction ID: be19933c52e41e6df1d0d40ce3b13642b5f0f32cc0edf45fb0e8551f26673fa8
Opcode Fuzzy Hash: ff1461aff689b2868b01f377f744557609f0c3783bdabd773c5d65b6fbd702a7
Instruction Fuzzy Hash: 51110FB6C00649CFCB20CF9AC444BDEFBF8AF88224F14846AD529B7600D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 027B978F Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 027B97F6

Memory Dump Source

Source File: 00000000.00000002.501777895.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_g9WPdiOMmP.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a33ff9bda988b9461073b07036838edd4c3abd337a09ba642d799b478eaadea9
Instruction ID: 4c8637ebaf21a64a3242be9f386d8bcc8c48cee404ce99f0899b794a87db8f03
Opcode Fuzzy Hash: a33ff9bda988b9461073b07036838edd4c3abd337a09ba642d799b478eaadea9
Instruction Fuzzy Hash: 3D110FB6C00649CFCB20CF9AD444BDEFBF4AF88224F14846AD529B7600D374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.500925349.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c7d000_g9WPdiOMmP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc118c65937b23fc86222dbb48cb02bf72c04758439bc9e1c989e79821dec91
Instruction ID: 87702733dee47cb7d5df84ca180d9b7ff7b06cc40d123ca842142f4727a072eb
Opcode Fuzzy Hash: 8bc118c65937b23fc86222dbb48cb02bf72c04758439bc9e1c989e79821dec91
Instruction Fuzzy Hash: B22125B1504240DFCB55DF50D9C4B26BFB6FF88328F24C669E80A0B246C336D956CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.501314019.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d000_g9WPdiOMmP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c645dba418803e2cf3206c5f464b1220a4507b504926daa3beee135460791270
Instruction ID: e465cf01ad485ed6965ce4e09b7de8e104d78f4cce378aa1cefda7105a21140a
Opcode Fuzzy Hash: c645dba418803e2cf3206c5f464b1220a4507b504926daa3beee135460791270
Instruction Fuzzy Hash: A4212975904284EFDB05DF50D9C4BA6BBB5FB84324F34CA6DD8094B242C33AD886DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.501314019.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d000_g9WPdiOMmP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21972273822b349e32757ed876f4793545180aa07f8fe55dd94bf6fa95f44498
Instruction ID: 3ede9903b730899db2c30de80067f66d3653adc62cc4cc4cdfcd60182cebe892
Opcode Fuzzy Hash: 21972273822b349e32757ed876f4793545180aa07f8fe55dd94bf6fa95f44498
Instruction Fuzzy Hash: 5D210776504244DFCB14DF14D8C4B66BBB5FB88324F24C969D8094B24AC33AD887DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.501314019.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d000_g9WPdiOMmP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba5aa5b583f31545af836b8b78a6986e99dfcff3823d4e043b229a448475b26
Instruction ID: a6e10752cf3ee15b5c13dc08ed927ac9cdaed9308e85671528f0e1cc4e4c945d
Opcode Fuzzy Hash: cba5aa5b583f31545af836b8b78a6986e99dfcff3823d4e043b229a448475b26
Instruction Fuzzy Hash: C821B0754093C08FCB12CF24C990B51BF71EB46324F28C1EAC8498B297C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.500925349.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c7d000_g9WPdiOMmP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad262f7e262abacbff50db4dee8e87071a2daebf469680c606094787e0e2c0d
Instruction ID: e153c61d4bd4c42725d99304c1ac56831e083b41548bd098d35cd85d94782115
Opcode Fuzzy Hash: 6ad262f7e262abacbff50db4dee8e87071a2daebf469680c606094787e0e2c0d
Instruction Fuzzy Hash: 4F11B1B6404280CFCB12CF10D5C4B16BF71FF84324F24C6A9D8490B656C33AD95ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.501314019.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f1d000_g9WPdiOMmP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bec74287bdcffcdfa7599285f44322ef2adb2956973c470928046ed4a726d0
Instruction ID: b63c037f369020be4cb247077e3461ec08394f5ab66da572a515b92f753ca91c
Opcode Fuzzy Hash: e0bec74287bdcffcdfa7599285f44322ef2adb2956973c470928046ed4a726d0
Instruction Fuzzy Hash: B911BB75904280DFCB16CF10C9C4B55BBB1FB85324F28C6AAD8494B656C33AD88ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.500925349.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c7d000_g9WPdiOMmP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abc48753aaa18e8b01c8b4327ba985d15b565b0f1f8f09131f8bc341b6c49fb
Instruction ID: cd480234d4f02377b09dd0ae4283f45836a442940f4c92b2986999913d03dc96
Opcode Fuzzy Hash: 2abc48753aaa18e8b01c8b4327ba985d15b565b0f1f8f09131f8bc341b6c49fb
Instruction Fuzzy Hash: 7C0147310083449BE7244A66CC84BA7BBACEF41778F18C55AE91E0A24AD3389844C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.500925349.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c7d000_g9WPdiOMmP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca7b39fbe6c5840e192eed8c1077502e47bc8757eb02061cb5ee50f177969e9
Instruction ID: 977068b0e0650d210a8f92971cea982ea3e5ff600e59dc3bcc16d949f99cccab
Opcode Fuzzy Hash: fca7b39fbe6c5840e192eed8c1077502e47bc8757eb02061cb5ee50f177969e9
Instruction Fuzzy Hash: FDF062714043449FEB248E15CC88B62FFA8EF81774F18C45AED195B286D379AD44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 027BE790 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.501777895.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_g9WPdiOMmP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0280d7619616bf31c6fddd2e2c69bfe7d3a35009bf8311c68be04648f5ab15b
Instruction ID: a4410461361df4a8a91eaf8b5338bc8d190b3e214f188a23bb5afd053a3cabfe
Opcode Fuzzy Hash: e0280d7619616bf31c6fddd2e2c69bfe7d3a35009bf8311c68be04648f5ab15b
Instruction Fuzzy Hash: 8F12B3F1C99B468BD390CF65E8981893FA1B745328FD1CA08D7612BAD0D7B4117ACF88

Uniqueness

Uniqueness Score: -1.00%

Function 027BC334 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.501777895.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_g9WPdiOMmP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6d1b9bcb77a0000c0e0d6f99395ad4c2f49cfab7f3aa6aef733512f501de9e
Instruction ID: 54b30c0f252b1546d6b1365022dc3ba3bf1f8e9d35056e397bacafac142146f5
Opcode Fuzzy Hash: 2d6d1b9bcb77a0000c0e0d6f99395ad4c2f49cfab7f3aa6aef733512f501de9e
Instruction Fuzzy Hash: 19A15F32E0061ACFCF16DFA5C8446DEBBB2FF85304B15856AE905BB221EB71A915CF40

Uniqueness

Uniqueness Score: -1.00%

Function 027BE78B Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.501777895.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_g9WPdiOMmP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc31bcede08994a87e7695540879a9914856ebb1a5c6f19799e05a3037157ddb
Instruction ID: 693a206ac7fe5b11866a0cd7fbb046b423065a745efb459b66d2efddf11e51e4
Opcode Fuzzy Hash: bc31bcede08994a87e7695540879a9914856ebb1a5c6f19799e05a3037157ddb
Instruction Fuzzy Hash: FBC11AB1C997468BD794CF65E8881897FA1BB85328F91CB08D3612B6D4D7B4107ACF88

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 4472, Parent PID: 7056COMMON

Execution Graph

Execution Coverage:	13.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	85
Total number of Limit Nodes:	7

Executed Functions

Function 00E6B6C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E6B730
GetCurrentThread.KERNEL32 ref: 00E6B76D
GetCurrentProcess.KERNEL32 ref: 00E6B7AA
GetCurrentThreadId.KERNEL32 ref: 00E6B803

Strings

H, xrefs: 00E6B82F

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID: H
API String ID: 2063062207-1105002124
Opcode ID: 247b5091c51bad1634bf69d5913c3474ed1836271d52a9b14a20ee63ca5c26f4
Instruction ID: 203105b64e7c92f18693198983ac568b8297ea6c8235e85cb6d340d9dfbbdc60
Opcode Fuzzy Hash: 247b5091c51bad1634bf69d5913c3474ed1836271d52a9b14a20ee63ca5c26f4
Instruction Fuzzy Hash: 8D5165B4900648CFDB10CFA9D6487EEBBF1BF88304F24896AE019B7251C7746885CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00E6B6D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E6B730
GetCurrentThread.KERNEL32 ref: 00E6B76D
GetCurrentProcess.KERNEL32 ref: 00E6B7AA
GetCurrentThreadId.KERNEL32 ref: 00E6B803

Strings

H, xrefs: 00E6B82F

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID: H
API String ID: 2063062207-1105002124
Opcode ID: df8aaccdafea616c69dd0deef7a95620c6dfdecb6cb84f51615e54475e2e06ad
Instruction ID: 309da86a65ef491a699277587830b207741fb317ed3310b2de73b8cf5536031d
Opcode Fuzzy Hash: df8aaccdafea616c69dd0deef7a95620c6dfdecb6cb84f51615e54475e2e06ad
Instruction Fuzzy Hash: A15144B4900648CFDB14CFAAD548BEEBBF5BF88314F24896AE019B7250C7746884CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00E693E8 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E6962E

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fd364f6f19934bbca06aeb27f7385df56cf75ed52e0a06fbf070b98b1b9ac3c2
Instruction ID: 6af4e38777dae97b125f2873f45c24c066e70a69b60e31c60ace6c8142e8a984
Opcode Fuzzy Hash: fd364f6f19934bbca06aeb27f7385df56cf75ed52e0a06fbf070b98b1b9ac3c2
Instruction Fuzzy Hash: 0B714670A00B058FD764CF69D18579AB7F5FF88358F108A2EE49AD7A41DB34E806CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E6FBEC Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E6FD0A

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6193f4462c89e91738a09178bd19d5818bcc68d401dde344e11d5516bd764012
Instruction ID: 827e26fece794ba28162cab4a04cb3dabfedad910a2aacd6bf10ab92e7f79d34
Opcode Fuzzy Hash: 6193f4462c89e91738a09178bd19d5818bcc68d401dde344e11d5516bd764012
Instruction Fuzzy Hash: 5D51BEB1D003099FDB14CFA9D984ADEFBB5BF48354F24862AE819AB210D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6FBF8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E6FD0A

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1f11d4b4e215a226b4b85e95776e0d244eb9be295aac1daf16d1bbfd54c43f31
Instruction ID: 6a103402359d9f436b306a8e27cb23138278c0c177db69080ddd754be87c8fbf
Opcode Fuzzy Hash: 1f11d4b4e215a226b4b85e95776e0d244eb9be295aac1daf16d1bbfd54c43f31
Instruction Fuzzy Hash: 9D419EB1D003099FDB14CF9AD884ADEFBB5BF48354F24852AE819AB210D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6BDC1 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6BD87

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6c03d39c874510042ed52610bfc6cbec8463045abaa5e3c1716b56482fcc9557
Instruction ID: 46d3be98563db22783eba10a3fe80b7e6e2fa2e73887582e36bed36f55fbc811
Opcode Fuzzy Hash: 6c03d39c874510042ed52610bfc6cbec8463045abaa5e3c1716b56482fcc9557
Instruction Fuzzy Hash: 37316778A40F40DFE701DF71EA5A7A93BB6E78B305F10462AE9459B7D6CB780906CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00E6BCF9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6BD87

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 178d23ed90cc65d44f755f7f4bdf66ee32f2d3372f99e943073132f1aa6dfb45
Instruction ID: c91f4fc739452dbe38c11f96c8f80427cc837751c5bcb8d7e10fe11ee5c1f2e6
Opcode Fuzzy Hash: 178d23ed90cc65d44f755f7f4bdf66ee32f2d3372f99e943073132f1aa6dfb45
Instruction Fuzzy Hash: DC21E0B6900208DFDB10CFA9D584AEEFBF5FB48324F14841AE918A7310D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E6BD00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6BD87

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e20b876c5780f3e28e236403811a486a7a6504299b1f50628a0857edda3eb95d
Instruction ID: 9e2448bbaf2745702449cf9af446204195a1b8a304d07d119ad3f7fdad3e4098
Opcode Fuzzy Hash: e20b876c5780f3e28e236403811a486a7a6504299b1f50628a0857edda3eb95d
Instruction Fuzzy Hash: D621B3B59002089FDB10CF9AD584ADEFBF9EB48324F14841AE958A7210D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E68768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E696A9,00000800,00000000,00000000), ref: 00E698BA

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4638d4c6df9ba76996b343c15dc674f9ddff843dfc65129a644c5fb973330764
Instruction ID: 681a990df2bc72f73cf223fcaa32d2e70f653bf21ce721ea7f868d3aeff44550
Opcode Fuzzy Hash: 4638d4c6df9ba76996b343c15dc674f9ddff843dfc65129a644c5fb973330764
Instruction Fuzzy Hash: B71133B68002098FCB14CF9AD444ADEFBF8EB49324F14842AE419B7601C374A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E69849 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E696A9,00000800,00000000,00000000), ref: 00E698BA

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3c4cb25a3d383be9ba0c80c7b34a41c2937b46fedfaf2fee2274f875d81800f6
Instruction ID: 72d38c14f858cbf5775841a7102aa1d16b1f0f72327869b6cd498d7db82c358a
Opcode Fuzzy Hash: 3c4cb25a3d383be9ba0c80c7b34a41c2937b46fedfaf2fee2274f875d81800f6
Instruction Fuzzy Hash: 721114B6C002098FDB10DF9AD444BDEFBF4EB48314F14842AD419B7600C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E695C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E6962E

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 21e0fff8f53bbd8dd31e53b7a70f26987ae1924b3715f5ede92b552909436908
Instruction ID: 2f5493f4b29c39b2418b93eb1f407e107726ff836c90511a3d8fc9d46d4d4daa
Opcode Fuzzy Hash: 21e0fff8f53bbd8dd31e53b7a70f26987ae1924b3715f5ede92b552909436908
Instruction Fuzzy Hash: 0411DFB5C007498FDB20CF9AD444ADEFBF8AB88324F14852AD429B7600D378A546CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E6FE38 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00E6FE9D

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9a610e5103e14814fa081b398217c017dd2a4c9e2df4da28578d20a0aee65326
Instruction ID: c59746fda14f53e7e6b79906936a6031a85f98958b0d9f823273637fd5e954d1
Opcode Fuzzy Hash: 9a610e5103e14814fa081b398217c017dd2a4c9e2df4da28578d20a0aee65326
Instruction Fuzzy Hash: CD11E0B5800209CFDB20CF99D585BEAFBF8FB48324F24845AD859B7601C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E6FE40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00E6FE9D

Memory Dump Source

Source File: 0000000F.00000002.700493150.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e60000_RegSvcs.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: cfe2a121766005d5091dade3ef6e56ea2f207e2932d76174cafa5bec922f9434
Instruction ID: 3277c0d0d1005df59bb6e53f1866596d7f8694754ead59d225b16a3c095b2f24
Opcode Fuzzy Hash: cfe2a121766005d5091dade3ef6e56ea2f207e2932d76174cafa5bec922f9434
Instruction Fuzzy Hash: C91103B58002088FDB10CF9AD585BDEFBF8EB48324F10841AD819B7600C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DAD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.699845800.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_dad000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ae4571199ce8ba1a38b3c3274304445ec358d015a27bd9730d2ee73cdc903f
Instruction ID: 5d360224f9161818b10e7e9284f1e64861d1b801462d32f7f4b69ee893f9a0f6
Opcode Fuzzy Hash: 55ae4571199ce8ba1a38b3c3274304445ec358d015a27bd9730d2ee73cdc903f
Instruction Fuzzy Hash: 55213AB1904240DFDF15DF54D8C0B66BFA7FB8A328F248969D8060B656C33AD855C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.699867422.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_dbd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43bb1eac2e2150f6278920c76ae2659d9f3a70b664543facc124f54355f6ecec
Instruction ID: f0b5af4780131497953ee66cd19dd5cb9b0b8bdee39fe52117eb1ef2e7cc1f85
Opcode Fuzzy Hash: 43bb1eac2e2150f6278920c76ae2659d9f3a70b664543facc124f54355f6ecec
Instruction Fuzzy Hash: 53214975504240DFCB14EF10D8C4B66BBA6FB84314F24C969D84A0B346D33AD807CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.699867422.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_dbd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc13e5daf0d8b1c9a98fafd3c8f19988f8aead938f3f9649754591e1e6247553
Instruction ID: 23cbd07058fb01e7d70dbb91d99b2d85296c3aafd6737ba6577fc274ae64ab26
Opcode Fuzzy Hash: dc13e5daf0d8b1c9a98fafd3c8f19988f8aead938f3f9649754591e1e6247553
Instruction Fuzzy Hash: 932180755093C0CFCB12DF20D994B55BF71EB46314F28C5EAD8498B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DAD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.699845800.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_dad000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad262f7e262abacbff50db4dee8e87071a2daebf469680c606094787e0e2c0d
Instruction ID: 48fac064aa7032bf057250ebc16e854d160bbb0851565461b9f929a3d7e450c4
Opcode Fuzzy Hash: 6ad262f7e262abacbff50db4dee8e87071a2daebf469680c606094787e0e2c0d
Instruction Fuzzy Hash: E511E976804280CFCF12CF14D5C4B56BF72FB85324F28C5A9D8050B656C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 6892, Parent PID: 1040COMMON

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Executed Functions

Function 03130728 Relevance: 1.7, APIs: 1, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 03131BEB

Memory Dump Source

Source File: 00000014.00000002.523946189.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3130000_RegSvcs.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 936741e488ab097de015256ea813220c9594e2989fbd75035f88970609e7daa5
Instruction ID: 114bf5b1e3e6e869bbe59424b8515dbc8b29b62dec799940dc7eed139083695f
Opcode Fuzzy Hash: 936741e488ab097de015256ea813220c9594e2989fbd75035f88970609e7daa5
Instruction Fuzzy Hash: 41714671D002199FCB24DFA9C8946DEFBF1BF49314F29852AE819AB250DB34A945CF81

Uniqueness

Uniqueness Score: -1.00%

Function 03131A3C Relevance: 1.7, APIs: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 03131BEB

Memory Dump Source

Source File: 00000014.00000002.523946189.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3130000_RegSvcs.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: d5232dd09cf2b02261e2dd6a788f27bce146749f618c5f55a40171876f8f9620
Instruction ID: a735ad9b6e1959e6ca18937b8e7a66daed15ab7ff5ab039b28f35ae3750a4b8b
Opcode Fuzzy Hash: d5232dd09cf2b02261e2dd6a788f27bce146749f618c5f55a40171876f8f9620
Instruction Fuzzy Hash: 88711271D002199FDB24DF99C984A9EFBB1FF49314F298129E819AB250DB34A945CF80

Uniqueness

Uniqueness Score: -1.00%

Function 03130744 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 03131BEB

Memory Dump Source

Source File: 00000014.00000002.523946189.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3130000_RegSvcs.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 0cefbe75400df0e329a563a543a2a0e4cad0b14cfe1b527bbcb4b83407a918bc
Instruction ID: 1e4fe246e2aae05ce8cd652ea3f52c68793d3b5c11f260f2ab0a9878c3fdf174
Opcode Fuzzy Hash: 0cefbe75400df0e329a563a543a2a0e4cad0b14cfe1b527bbcb4b83407a918bc
Instruction Fuzzy Hash: 2A7112B1D002189FDB24DF99C984A9EFBF1BF49314F298529E819AB350DB34A945CF81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exePID: 6252, Parent PID: 1040COMMON

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	26
Total number of Limit Nodes:	0

Executed Functions

Function 00F80728 Relevance: 1.7, APIs: 1, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 00F81BEB

Memory Dump Source

Source File: 00000017.00000002.527422293.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_f80000_dhcpmon.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: b8d6f4a8907b51651afc343e60a4a35b7c6efe552ef4394d682a4f9fcdae3011
Instruction ID: 48ccb45354ab630ba047bd8a1cf84e4c962fb00731a641ad2c55be58b67b08cd
Opcode Fuzzy Hash: b8d6f4a8907b51651afc343e60a4a35b7c6efe552ef4394d682a4f9fcdae3011
Instruction Fuzzy Hash: 00713771D002198FDB24DF99C884ADDBBF5FF48324F258229E819AB350D734A946CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00F81A3C Relevance: 1.7, APIs: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 00F81BEB

Memory Dump Source

Source File: 00000017.00000002.527422293.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_f80000_dhcpmon.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 25716e389bc175f1d1736760e42b0f4d94eba3bab1d5ab074e1268789f333782
Instruction ID: 5a90e12e09a8907340b7395e524e37f380bbceb4fabc3faca08ed2ae3a06f7e5
Opcode Fuzzy Hash: 25716e389bc175f1d1736760e42b0f4d94eba3bab1d5ab074e1268789f333782
Instruction Fuzzy Hash: E47124B1D002198FDB24DF99C884ADEBBB5FF48324F258129E819AB350D734A946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00F80744 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 00F81BEB

Memory Dump Source

Source File: 00000017.00000002.527422293.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_f80000_dhcpmon.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 5a5287e4f42acaf4072e81ffb3b57211c964bc1e56af673cc0d0d22f521c6859
Instruction ID: f9c30dc9b3009603b8e1f9c4b525004f672aa05ae9b0ebb9f5e383c3cae50857
Opcode Fuzzy Hash: 5a5287e4f42acaf4072e81ffb3b57211c964bc1e56af673cc0d0d22f521c6859
Instruction Fuzzy Hash: B87113B1D002198FDB24DF99C984ADEBBB5BF48324F258129E819AB350D734A946CF81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exePID: 6268, Parent PID: 684COMMON

Executed Functions

Function 00FB0F38 Relevance: 1.8, Strings: 1, Instructions: 579COMMON

Download Yara Rule

Strings

$,2m, xrefs: 00FB176D

Memory Dump Source

Source File: 00000019.00000002.536876904.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID: $,2m
API String ID: 0-3778023781
Opcode ID: 58133a2c33fc180103071e564e722608dfea97d009189b90b1b2789c5214f2a9
Instruction ID: 984357128fb14e4a485bec915f03e684510a9475ae149c195349408d8fe3174c
Opcode Fuzzy Hash: 58133a2c33fc180103071e564e722608dfea97d009189b90b1b2789c5214f2a9
Instruction Fuzzy Hash: 1B324B34714605CFCB14EF75E8A07AA77A2FB88315B60892CD5028B399DB75EC42DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB0728 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.536876904.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c0ef4bbb9d420d2720337f6fa22735a9bc2461acd922ec7f68c05336c05f03
Instruction ID: 06d724187c712acabcdc7ef50ccad9656f969e4eac842002be009e39880d45e4
Opcode Fuzzy Hash: 96c0ef4bbb9d420d2720337f6fa22735a9bc2461acd922ec7f68c05336c05f03
Instruction Fuzzy Hash: 9B314A319003448FDB15DB70D8147EA7BB2EF44310F0585AAD442973A2CFB5AD85DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB08F0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.536876904.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 553fc95016232c67f6bdfcb338d17b78ffb47c04cdc569098da2984548d38f4f
Instruction ID: a5540032eaeb12da04eedebdb9131f457da0a3a9584420ac0090304c722006a5
Opcode Fuzzy Hash: 553fc95016232c67f6bdfcb338d17b78ffb47c04cdc569098da2984548d38f4f
Instruction Fuzzy Hash: 0971A035A003488FCB159BA1C4186DEB7A2EF88314F158929D502973A5DFB5EC85DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB0E31 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.536876904.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41da4967588c394e4227ccc676d5d95b207dfa767d84c08294af325617fcb934
Instruction ID: fca05a718dd167cbbe4403394f7f12165307a2acd7c8f0143b9e576c8cbaf5fb
Opcode Fuzzy Hash: 41da4967588c394e4227ccc676d5d95b207dfa767d84c08294af325617fcb934
Instruction Fuzzy Hash: 7C3136757441148FCB19AB79C46896D77E2EF8971931608B9E502CF3B6DB32DC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FB0E40 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.536876904.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608b415f4af53f2c04f201397ba30fd2f6a5acd220d5a2e22cdcb7883805bb07
Instruction ID: 036038ef22d87e53e2c5a37ad50e6aeb64e0bbcd3dd852c8b302dbc47ff9abd9
Opcode Fuzzy Hash: 608b415f4af53f2c04f201397ba30fd2f6a5acd220d5a2e22cdcb7883805bb07
Instruction Fuzzy Hash: C421D3797505148FC758AB79C45896D73E2EF8971931208B9E606CB375DB32DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB17F8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.536876904.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ce975a9b3909b1a6941cc6ee6c7a49f04007b4bdb65cad35989a388aba35b3
Instruction ID: e081b21b3945651e45ec3702f0e1a847a18c6800e649511f8ac13a31fb4c8cc4
Opcode Fuzzy Hash: 62ce975a9b3909b1a6941cc6ee6c7a49f04007b4bdb65cad35989a388aba35b3
Instruction Fuzzy Hash: D611E175E102098FCF00EFB8D8459EEBBF2FF89310B11866AE50997225DB749802CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1808 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.536876904.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c472574d24e5696ee446113422882ff71d352c5149ef43d1c291a669a66ec56
Instruction ID: 0cd4112c1ecc7dd85db5dc37f3e8d7668a2dda07b77356ed9e87e907d2a354fe
Opcode Fuzzy Hash: 4c472574d24e5696ee446113422882ff71d352c5149ef43d1c291a669a66ec56
Instruction Fuzzy Hash: B9019E35E102099FCB00EFB9D8409AEFBF5FF893107118666E61497225EB74A901CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FB0480 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.536876904.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d015365b464b7d4e560deac753fbc80df8147d1827dc6b7fbb84659b88e0e4
Instruction ID: cdcf1b9b8cd4e4d10d289864489ff0c6bea8d07d8e31139ef564d63fc2d1a005
Opcode Fuzzy Hash: 15d015365b464b7d4e560deac753fbc80df8147d1827dc6b7fbb84659b88e0e4
Instruction Fuzzy Hash: D2F054B190E3C55FCB4297B859122DE7FF19D4B200B1945EBD9C9D7163D1240A2FCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FB0B9C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.536876904.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96431383dfa3c451ca54dbe38b694356ec55a5528d8c0093199f3400d50e190f
Instruction ID: fb7ae189080becbea03b38a3e9464997d480493551d287c6a24a1c514c3d8590
Opcode Fuzzy Hash: 96431383dfa3c451ca54dbe38b694356ec55a5528d8c0093199f3400d50e190f
Instruction Fuzzy Hash: 82F01C75A403099FDB14DBA5C1597EE7BB0BB48318F250869D002E73A1CFB4AD80DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00FB16D8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.536876904.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f159d869e94da3784456172f905ba011c383214c6fb089c11e614cf1a451af55
Instruction ID: 87c5c3aa4e3729ab4342c450a581dc95360ffcac0d28409c568966755ba95da8
Opcode Fuzzy Hash: f159d869e94da3784456172f905ba011c383214c6fb089c11e614cf1a451af55
Instruction Fuzzy Hash: 88D02B317002149FC710EB74E808A8537B8EF04B11F104050E504CB391DF71DC00CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB04A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.536876904.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69769cab8fb941b0125d76edbe59ddf64bd566dde3f359827652143a57d3c9f1
Instruction ID: 3d5bd7c2dc5a5fb1dd8ca40d8b34483eecad4b0d0cf6930e75ce2c54f729d80d
Opcode Fuzzy Hash: 69769cab8fb941b0125d76edbe59ddf64bd566dde3f359827652143a57d3c9f1
Instruction Fuzzy Hash: 5AD067B1D00229EF8B40EFB999051DEBBF8EA09650B1045A6DA19E3211E6715A109BE1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report g9WPdiOMmP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g9WPdiOMmP.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fu5c34yp.wy0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krjt5ohn.f0l.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kv0ftztp.bvm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_so3a4bls.ivo.ps1

C:\Users\user\AppData\Local\Temp\tmp502A.tmp

C:\Users\user\AppData\Local\Temp\tmpE651.tmp

Windows Analysis Report
g9WPdiOMmP.exe