Edit tour

Windows Analysis Report
HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Overview

General Information

Sample Name:	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Analysis ID:	881357
MD5:	81b7988b523fb109b834c76e7f0fea10
SHA1:	9d14022defd1373971a2892b1a5b5bbe830280ce
SHA256:	1617174ffdba50f5efa07c53e0ffb0d765f35cbe821173bda7cd96c1f5cfe5cd
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Injects a PE file into a foreign processes

.NET source code contains very large strings

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe (PID: 7144 cmdline: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe MD5: 81B7988B523FB109B834C76E7F0FEA10)

schtasks.exe (PID: 6060 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAqpXXDLkkJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA2.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe (PID: 5756 cmdline: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe MD5: 81B7988B523FB109B834C76E7F0FEA10)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.morphisec.com/syk-crypter-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "8016d6d7-9a9c-4266-8244-58d40eab", "Group": "Mba-Month", "Domain1": "podzeye.duckdns.org", "Domain2": "", "Port": 414, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10a5d:$x1: NanoCore.ClientPluginHost 0x10a9a:$x2: IClientNetworkHost 0x145cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x107c5:$a: NanoCore 0x107d5:$a: NanoCore 0x10a09:$a: NanoCore 0x10a1d:$a: NanoCore 0x10a5d:$a: NanoCore 0x10824:$b: ClientPlugin 0x10a26:$b: ClientPlugin 0x10a66:$b: ClientPlugin 0x1094b:$c: ProjectData 0x11352:$d: DESCrypto 0x18d1e:$e: KeepAlive 0x16d0c:$g: LogClientMessage 0x12f07:$i: get_Connected 0x11688:$j: #=q 0x116b8:$j: #=q 0x116d4:$j: #=q 0x11704:$j: #=q 0x11720:$j: #=q 0x1173c:$j: #=q 0x1176c:$j: #=q 0x11788:$j: #=q
00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10a5d:$a1: NanoCore.ClientPluginHost 0x10a1d:$a2: NanoCore.ClientPlugin 0x12976:$b1: get_BuilderSettings 0x10879:$b2: ClientLoaderForm.resources 0x12096:$b3: PluginCommand 0x10a4e:$b4: IClientAppHost 0x1aece:$b5: GetBlockHash 0x12fce:$b6: AddHostEntry 0x16cc1:$b7: LogClientException 0x12f3b:$b8: PipeExists 0x10a87:$b9: IClientLoggingHost
00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xa8045:$x1: NanoCore.ClientPluginHost 0xa8082:$x2: IClientNetworkHost 0xabbb5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa7dad:$a: NanoCore 0xa7dbd:$a: NanoCore 0xa7ff1:$a: NanoCore 0xa8005:$a: NanoCore 0xa8045:$a: NanoCore 0xa7e0c:$b: ClientPlugin 0xa800e:$b: ClientPlugin 0xa804e:$b: ClientPlugin 0xa7f33:$c: ProjectData 0xa893a:$d: DESCrypto 0xb0306:$e: KeepAlive 0xae2f4:$g: LogClientMessage 0xaa4ef:$i: get_Connected 0xa8c70:$j: #=q 0xa8ca0:$j: #=q 0xa8cbc:$j: #=q 0xa8cec:$j: #=q 0xa8d08:$j: #=q 0xa8d24:$j: #=q 0xa8d54:$j: #=q 0xa8d70:$j: #=q
00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xa8045:$a1: NanoCore.ClientPluginHost 0xa8005:$a2: NanoCore.ClientPlugin 0xa9f5e:$b1: get_BuilderSettings 0xa7e61:$b2: ClientLoaderForm.resources 0xa967e:$b3: PluginCommand 0xa8036:$b4: IClientAppHost 0xb24b6:$b5: GetBlockHash 0xaa5b6:$b6: AddHostEntry 0xae2a9:$b7: LogClientException 0xaa523:$b8: PipeExists 0xa806f:$b9: IClientLoggingHost
00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000003.00000002.631138634.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x11525:$a1: NanoCore.ClientPluginHost 0x114e8:$a2: NanoCore.ClientPlugin 0x118bc:$b1: get_BuilderSettings 0x11573:$b4: IClientAppHost 0x1192d:$b6: AddHostEntry 0x1199c:$b7: LogClientException 0x11911:$b8: PipeExists 0x11560:$b9: IClientLoggingHost
00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x63dd:$a: NanoCore 0x6436:$a: NanoCore 0x6473:$a: NanoCore 0x64ec:$a: NanoCore 0x19b97:$a: NanoCore 0x19bac:$a: NanoCore 0x19be1:$a: NanoCore 0x32653:$a: NanoCore 0x32668:$a: NanoCore 0x3269d:$a: NanoCore 0x643f:$b: ClientPlugin 0x647c:$b: ClientPlugin 0x6d7a:$b: ClientPlugin 0x6d87:$b: ClientPlugin 0x19953:$b: ClientPlugin 0x1996e:$b: ClientPlugin 0x1999e:$b: ClientPlugin 0x19bb5:$b: ClientPlugin 0x19bea:$b: ClientPlugin 0x3240f:$b: ClientPlugin 0x3242a:$b: ClientPlugin
00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6473:$a1: NanoCore.ClientPluginHost 0x19be1:$a1: NanoCore.ClientPluginHost 0x3269d:$a1: NanoCore.ClientPluginHost 0x6436:$a2: NanoCore.ClientPlugin 0x19bac:$a2: NanoCore.ClientPlugin 0x32668:$a2: NanoCore.ClientPlugin 0x680a:$b1: get_BuilderSettings 0x1eb27:$b1: get_BuilderSettings 0x375e3:$b1: get_BuilderSettings 0x64c1:$b4: IClientAppHost 0x687b:$b6: AddHostEntry 0x68ea:$b7: LogClientException 0x1ea96:$b7: LogClientException 0x37552:$b7: LogClientException 0x685f:$b8: PipeExists 0x64ae:$b9: IClientLoggingHost 0x19bfb:$b9: IClientLoggingHost 0x326b7:$b9: IClientLoggingHost
00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8c52e:$x1: NanoCore.ClientPluginHost 0x8c56b:$x2: IClientNetworkHost 0x9005c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9b0e2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8c1fb:$a: NanoCore 0x8c20b:$a: NanoCore 0x8c2ca:$a: NanoCore 0x8c2d9:$a: NanoCore 0x8c4da:$a: NanoCore 0x8c4ee:$a: NanoCore 0x8c52e:$a: NanoCore 0x9774c:$a: NanoCore 0x9775e:$a: NanoCore 0x9779a:$a: NanoCore 0x8c25a:$b: ClientPlugin 0x8c323:$b: ClientPlugin 0x8c4f7:$b: ClientPlugin 0x8c537:$b: ClientPlugin 0x97767:$b: ClientPlugin 0x977a3:$b: ClientPlugin 0x6126b:$c: ProjectData 0x61ec8:$c: ProjectData 0x8c41c:$c: ProjectData 0x97699:$c: ProjectData 0xd9e81:$c: ProjectData
Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8c52e:$a1: NanoCore.ClientPluginHost 0x8c4ee:$a2: NanoCore.ClientPlugin 0x8e405:$b1: get_BuilderSettings 0x8c2af:$b2: ClientLoaderForm.resources 0x8db25:$b3: PluginCommand 0x8c51f:$b4: IClientAppHost 0x96958:$b5: GetBlockHash 0x8ea5d:$b6: AddHostEntry 0x99b7c:$b6: AddHostEntry 0x92750:$b7: LogClientException 0x9d6bd:$b7: LogClientException 0x8e9ca:$b8: PipeExists 0x99af0:$b8: PipeExists 0x8c558:$b9: IClientLoggingHost
Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x7e074:$x1: NanoCore.ClientPluginHost 0xa5ad4:$x1: NanoCore.ClientPluginHost 0xc918d:$x1: NanoCore.ClientPluginHost 0xededf:$x1: NanoCore.ClientPluginHost 0x1156c9:$x1: NanoCore.ClientPluginHost 0x7e08e:$x2: IClientNetworkHost 0xa5aee:$x2: IClientNetworkHost 0xc91a7:$x2: IClientNetworkHost 0xedf1c:$x2: IClientNetworkHost 0x1156f6:$x2: IClientNetworkHost 0xf1a0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xfca93:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x43867:$a: NanoCore 0x4387b:$a: NanoCore 0x67183:$a: NanoCore 0x6f8dd:$a: NanoCore 0x7dfde:$a: NanoCore 0x7e037:$a: NanoCore 0x7e074:$a: NanoCore 0x7e0ed:$a: NanoCore 0x7e992:$a: NanoCore 0x7e9e5:$a: NanoCore 0x7ea1e:$a: NanoCore 0x7ea91:$a: NanoCore 0xa5a3e:$a: NanoCore 0xa5a97:$a: NanoCore 0xa5ad4:$a: NanoCore 0xa5b4d:$a: NanoCore 0xa6406:$a: NanoCore 0xa6459:$a: NanoCore 0xa6492:$a: NanoCore 0xa6505:$a: NanoCore 0xc90f7:$a: NanoCore
Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x7e074:$a1: NanoCore.ClientPluginHost 0xa5ad4:$a1: NanoCore.ClientPluginHost 0xc918d:$a1: NanoCore.ClientPluginHost 0xededf:$a1: NanoCore.ClientPluginHost 0x1156c9:$a1: NanoCore.ClientPluginHost 0x7e037:$a2: NanoCore.ClientPlugin 0xa5a97:$a2: NanoCore.ClientPlugin 0xc9150:$a2: NanoCore.ClientPlugin 0xede9f:$a2: NanoCore.ClientPlugin 0x115694:$a2: NanoCore.ClientPlugin 0x7e3da:$b1: get_BuilderSettings 0xa5e4e:$b1: get_BuilderSettings 0xc9507:$b1: get_BuilderSettings 0xefdb6:$b1: get_BuilderSettings 0x11a49b:$b1: get_BuilderSettings 0xedc60:$b2: ClientLoaderForm.resources 0xef4d6:$b3: PluginCommand 0x7e0c2:$b4: IClientAppHost 0xa5b22:$b4: IClientAppHost 0xc91db:$b4: IClientAppHost 0xeded0:$b4: IClientAppHost
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.50f0000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.50f0000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.50f0000.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.50f0000.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0x23c40:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c6d:$x2: IClientNetworkHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0x23c40:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d1b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c5a:$s5: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23c0b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c40:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23bff:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c21:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c30:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c5a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c6d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c80:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23c8e:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23caa:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x23c40:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x23c0b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x28b86:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x28af5:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x23c5a:$b9: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28269:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28296:$x2: IClientNetworkHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28269:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29344:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28283:$s5: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28234:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28269:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28228:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2824a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28259:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x28283:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x28296:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x282a9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x282b7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x282d3:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28269:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28234:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d1af:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d11e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x28283:$b9: IClientLoggingHost
0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d09f:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0cc:$x2: IClientNetworkHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d09f:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e17a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0b9:$s5: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d06a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d09f:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d05e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d080:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d08f:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d0b9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d055:$a: NanoCore 0x2d06a:$a: NanoCore 0x2d09f:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce11:$b: ClientPlugin 0x2ce2c:$b: ClientPlugin
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d09f:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d06a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x31fe5:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x31f54:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d0b9:$b9: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2c516b0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2c516b0.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2c516b0.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2c516b0.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
Click to see the 57 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, ProcessId: 5756, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAqpXXDLkkJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA2.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAqpXXDLkkJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA2.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, ParentImage: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, ParentProcessId: 7144, ParentProcessName: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAqpXXDLkkJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA2.tmp, ProcessId: 6060, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.26497084142816766 06/04/23-04:43:12.068942
SID:	2816766
Source Port:	49708
Destination Port:	414
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "8016d6d7-9a9c-4266-8244-58d40eab", "Group": "Mba-Month", "Domain1": "podzeye.duckdns.org", "Domain2": "", "Port": 414, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	ReversingLabs: Detection: 67%
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Virustotal: Detection: 64%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Avira: detected

Antivirus detection for URL or domain

Source: podzeye.duckdns.org

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: podzeye.duckdns.org	Virustotal: Detection: 15%			Perma Link
Source: podzeye.duckdns.org	Virustotal: Detection: 15%			Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\jAqpXXDLkkJ.exe

Avira: detection malicious, Label: HEUR/AGEN.1306098

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\jAqpXXDLkkJ.exe

ReversingLabs: Detection: 67%

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756, type: MEMORYSTR

Machine Learning detection for sample

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\jAqpXXDLkkJ.exe

Joe Sandbox ML: detected

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49708 -> 192.169.69.26:414

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: podzeye.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: podzeye.duckdns.org

Source: Joe Sandbox View

ASN Name: WOWUS WOWUS

Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365534017.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365581213.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365600611.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365617649.00000000055D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.374035218.00000000055A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.367096675.00000000055A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comR.TTF
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.374035218.00000000055A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.374035218.00000000055A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coml1
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.374035218.00000000055A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comldno
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.367096675.00000000055A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comz
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.368418627.00000000055D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.368418627.00000000055D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/=
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.363939571.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.363954268.00000000055BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.366069273.00000000055E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comrmJ
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365340286.00000000055A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.t.
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365340286.00000000055A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365340286.00000000055A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comd
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: podzeye.duckdns.org

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Code function: 3_2_04EF27E6 WSARecv,

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.374291589.000000000098B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.50f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.50f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.50f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2c516b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2c516b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2c516b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.631138634.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

.NET source code contains very large strings

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, ConsoleGame/Form1.cs	Long String: Length: 50988
Source: jAqpXXDLkkJ.exe.0.dr, ConsoleGame/Form1.cs	Long String: Length: 50988
Source: 0.0.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2a0000.0.unpack, ConsoleGame/Form1.cs	Long String: Length: 50988

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.50f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.50f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.50f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.50f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2c516b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2c516b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2c516b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2c516b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.631138634.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BB630
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B5A28
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BE810
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BE410
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B7200
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B3A98
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BBA90
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B4748
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B6343
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BDF30
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B3FE8
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B43A0
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BF679
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BAE28
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BB620
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BE01B
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BA810
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BE400
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BE800
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B3CF8
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B70FF
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BAEEA
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B3CE9
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BC8E8
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BC8E3
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B7EE0
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B7ED0
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B92C0
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B70C5
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B92B3
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B70AB
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B94A8
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B9090
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B9080
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BBA80
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BAF44
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BBD20
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BAF24
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B71FB
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B3FD9
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B8BB8
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BC398
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B4391
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027BC387
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_0B340070
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_0B341334
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_0B341336
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_0B340006
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_0B340275
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B0200
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_027B01F1
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026EAB08
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E2FA8
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E23A0
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E9068
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E8468
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E306F
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E912F

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_04CD1E22 NtQuerySystemInformation,
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_04CD1DE8 NtQuerySystemInformation,
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_04EF2D32 NtQuerySystemInformation,
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_04EF2CF7 NtQuerySystemInformation,

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jAqpXXDLkkJ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	ReversingLabs: Detection: 67%
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Virustotal: Detection: 64%

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

File read: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Jump to behavior

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAqpXXDLkkJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA2.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process created: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAqpXXDLkkJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA2.tmp
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process created: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_04CD1D52 AdjustTokenPrivileges,
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_04CD1D1B AdjustTokenPrivileges,
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_04EF2AF2 AdjustTokenPrivileges,
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_04EF2ABB AdjustTokenPrivileges,

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

File created: C:\Users\user\AppData\Roaming\jAqpXXDLkkJ.exe

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

File created: C:\Users\user\AppData\Local\Temp\tmpBEA2.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/5@22/1

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{8016d6d7-9a9c-4266-8244-58d40eab2ad4}
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Mutant created: \Sessions\1\BaseNamedObjects\uGXYZONQwieVEVRcAq
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_01
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, ConsoleGame/Form1.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: jAqpXXDLkkJ.exe.0.dr, ConsoleGame/Form1.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.2a0000.0.unpack, ConsoleGame/Form1.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_00C333C8 pushfd ; retf 006Bh
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_00C324E0 push 9C6BCA71h; ret
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_00C47B96 pushfd ; retf
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 0_2_00C47B6C pushad ; retf
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E3A60 push ecx; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E4369 push esi; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E4339 push ebp; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E58F1 pushad ; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E40D1 push esp; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E5898 pushad ; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E0170 pushad ; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E5971 pushad ; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E3D40 push esp; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E4127 push esp; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E5918 pushad ; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E4511 push edi; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E45B9 push edi; retn 0000h
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_026E4180 push ebp; retn 0000h

Source: initial sample	Static PE information: section name: .text entropy: 7.526269053088037
Source: initial sample	Static PE information: section name: .text entropy: 7.526269053088037

Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

File created: C:\Users\user\AppData\Roaming\jAqpXXDLkkJ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAqpXXDLkkJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA2.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

File opened: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Function Chain: threadResumed,threadDelayed,memAlloc,processSet,sectionLoaded,processSet,threadCreated,threadResumed,threadDelayed,windowCreated,memAlloc,threadDelayed,memAlloc,threadInformationSet,threadInformationSet,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Function Chain: processSet,threadCreated,threadResumed,threadDelayed,windowCreated,memAlloc,threadDelayed,memAlloc,threadInformationSet,threadInformationSet,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe TID: 7124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe TID: 7124	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe TID: 7124	Thread sleep time: -870000s >= -30000s
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe TID: 7140	Thread sleep time: -42654s >= -30000s
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe TID: 7140	Thread sleep time: -50000s >= -30000s
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe TID: 7124	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe TID: 7132	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe TID: 5952	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe TID: 7068	Thread sleep time: -36000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Window / User API: foregroundWindowGot 934

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Code function: 3_2_04EF112A GetSystemInfo,

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Thread delayed: delay time: 42654
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Thread delayed: delay time: 50000
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Thread delayed: delay time: 922337203685477

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.629776621.0000000000C72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.374291589.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.629776621.0000000000C72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Memory written: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAqpXXDLkkJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA2.tmp
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Process created: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.631138634.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.631138634.0000000002D02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.631138634.0000000002D04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerp
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000003.442930157.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000003.433791763.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager.
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000003.508359792.0000000000D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerK
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.630485256.0000000000CFC000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000003.623867867.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerx-
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000003.600589161.0000000000CFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerPa
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000003.485213385.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000003.442335103.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert$
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000003.501807414.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000003.508359792.0000000000D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.631138634.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000003.501807414.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000003.508359792.0000000000D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager \

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.631138634.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.631138634.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5504629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c92a5d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.5500000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c8e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.9de8eb8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.3c895fe.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe PID: 5756, type: MEMORYSTR

Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_04EF232A bind,
Source: C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Code function: 3_2_04EF22D8 bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	1 Masquerading	21 Input Capture	21 Security Software Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	112 Process Injection	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Remote Access Software	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	112 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	2 Obfuscated Files or Information	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	12 Software Packing	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	65%	Virustotal		Browse
HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	100%	Avira	HEUR/AGEN.1306098
HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\jAqpXXDLkkJ.exe	100%	Avira	HEUR/AGEN.1306098
C:\Users\user\AppData\Roaming\jAqpXXDLkkJ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\jAqpXXDLkkJ.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
podzeye.duckdns.org	16%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comz	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.comR.TTF	0%	URL Reputation	safe
http://www.tiro.comd	0%	URL Reputation	safe
	0%	Avira URL Cloud	safe
http://www.sakkal.comrmJ	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/=	0%	Virustotal		Browse
podzeye.duckdns.org	16%	Virustotal		Browse
http://www.t.	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/=	0%	Avira URL Cloud	safe
podzeye.duckdns.org	100%	Avira URL Cloud	malware
http://www.fontbureau.comldno	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
podzeye.duckdns.org	192.169.69.26	true	true	16%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
podzeye.duckdns.org	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.374035218.00000000055A0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.368418627.00000000055D6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/=	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.368418627.00000000055D6000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.tiro.com	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365340286.00000000055A2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.374035218.00000000055A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.w	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365534017.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365581213.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365600611.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365617649.00000000055D6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coml1	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.374035218.00000000055A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.363939571.00000000055BB000.00000004.00000020.00020000.00000000.sdmp, HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.363954268.00000000055BB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.comrmJ	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.366069273.00000000055E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.t.	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365340286.00000000055A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comz	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.367096675.00000000055A6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.378015829.0000000006782000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comldno	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.374035218.00000000055A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comR.TTF	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.367096675.00000000055A6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comd	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000003.365340286.00000000055A2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.169.69.26	podzeye.duckdns.org	United States		23033	WOWUS	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	881357
Start date and time:	2023-06-04 04:41:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 22s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/5@22/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
TCP Packets have been reduced to 100
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:42:02	API Interceptor	856x Sleep call for process: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe modified

Process:	C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	895
Entropy (8bit):	5.267807484859312
Encrypted:	false
SSDEEP:	24:MLF20NaL329hJ5g522rW2a2+g2s26K95rKoOz2T:MwLLG9h3go2rx9+g2X6oG2T
MD5:	B3E077F49443B4E3033A37748D818FC6
SHA1:	6C06565EF8ABD974E8D34BFDBC8981CFC67562E4
SHA-256:	D1118A0BBCF7AF4819F9678314431A418D3B77767312FA6436A6564EB0F9FF83
SHA-512:	2E55D43B305984CE230BE4E00220CC51FFB358592D9D010A77174A4E27E18D7D9F32A826D3E780AAA423A380999E50F84E6C43328162F8B2917CE00E1EFBD338
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\27ab8d047396db374abb803b446b76f0\System.Data.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmpBEA2.tmp

Download File

Process:	C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1644
Entropy (8bit):	5.205337193730257
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBHs2tn:cbh47TlNQ//rydbz9I3YODOLNdq3aA
MD5:	E505E84B7674DD82695781E85F907F55
SHA1:	004AAAE57BA1FF6213D3A279CCC95446EDA68849
SHA-256:	173CD7A8C1F06287BA9251A4201C98D3F02886BF785B4AC0726421EA6475CB14
SHA-512:	46D364899919CC21EF4AD6B82A67762EB87A071381A3E4639B679B46E3FACA073C73B8A8BDBD8A4505F13AA6C734EF7CF4F472D44FF3777CEF07B761EC13D1EA
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:DSn:DSn
MD5:	6168249EA05B80227B36364801A82F6E
SHA1:	87AB76476E06A4A980558870F8DABEA3D81FE1EE
SHA-256:	FA1CB67CC9EFFA397D609F4F7B758E5FCFD80E545D979018AD9F4F6EE7314AB4
SHA-512:	2EDCC0B25F7C8D848965D35D89C707CC9AC1C0A4DE6D6B53764DCD73EDEC090E2349993D25398D2E347F2A89169A7F7FFD9D721CA15D48AAF6F09369DB4186AF
Malicious:	true
Reputation:	low
Preview:	C.:..d.H

C:\Users\user\AppData\Roaming\jAqpXXDLkkJ.exe

Download File

Process:	C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	546816
Entropy (8bit):	7.516638880644476
Encrypted:	false
SSDEEP:	12288:FKk4DbF53e0IUFLuEEfrrmdQ5S/eMGXZLfJOSq7Ls9:F0SEwrmW5PMGVJOSCL
MD5:	81B7988B523FB109B834C76E7F0FEA10
SHA1:	9D14022DEFD1373971A2892B1A5B5BBE830280CE
SHA-256:	1617174FFDBA50F5EFA07C53E0FFB0D765F35CBE821173BDA7CD96C1F5CFE5CD
SHA-512:	17E6BA0DBCA1CFD06D684F6A512CD6C45CA4ED161289FC14D5C5AC4244E33A55657DF85AC249EEDD2031E7DCF29FE4C5478D28EA7A4CF8D621530E1EB6331ADF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....?a..............0..@...........^... ...`....@.. ....................................@..................................]..O....`............................................................................... ............... ..H............text... >... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............V..............@..B.................]......H........d..........2...hH..X............................................0..P........(...........s....}......++...+...{......s....(.......X........-....X........-..0............{.....+..&...}.......0..............0...2....0.....+....,......r...p..(.......(......(....o.........,......r?..p..(......+D...o.....+...(.......(......(.....o........(....-...........o.............d.+........0.."........~3........9.......~4.....o.......+.....+......X............-....X..........-..-

C:\Users\user\AppData\Roaming\jAqpXXDLkkJ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.516638880644476
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
File size:	546816
MD5:	81b7988b523fb109b834c76e7f0fea10
SHA1:	9d14022defd1373971a2892b1a5b5bbe830280ce
SHA256:	1617174ffdba50f5efa07c53e0ffb0d765f35cbe821173bda7cd96c1f5cfe5cd
SHA512:	17e6ba0dbca1cfd06d684f6a512cd6c45ca4ed161289fc14d5c5ac4244e33a55657df85ac249eedd2031e7dcf29fe4c5478d28ea7a4cf8d621530e1eb6331adf
SSDEEP:	12288:FKk4DbF53e0IUFLuEEfrrmdQ5S/eMGXZLfJOSq7Ls9:F0SEwrmW5PMGVJOSCL
TLSH:	42C4BE203DFB5119F1B3BFB65EE075868A6FF6332A17E45D104503864B23A81DE91A3B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....?a..............0..@...........^... ...`....@.. ....................................@................................

File Icon


Icon Hash:	8e65656565a5a581

Static PE Info

General

Entrypoint:	0x485e12
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x613FEAC3 [Tue Sep 14 00:20:19 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
sub byte ptr [eax], al
sub al, 00h
sub dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x85dc0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x86000	0x13b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x83e20	0x84000	False	0.8557406338778409	data	7.526269053088037	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x86000	0x13b8	0x1400	False	0.549609375	data	6.174184576615129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x86130	0xd0c	Device independent bitmap graphic, 32 x 50 x 32, image size 3200
RT_GROUP_ICON	0x86e3c	0x14	data
RT_VERSION	0x86e50	0x37c	data
RT_MANIFEST	0x871cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3192.169.69.26497084142816766 06/04/23-04:43:12.068942	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49708	414	192.168.2.3	192.169.69.26

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 4, 2023 04:42:08.593722105 CEST	49696	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:09.072313070 CEST	414	49696	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:09.073271036 CEST	49696	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:09.246226072 CEST	49696	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:09.575026035 CEST	414	49696	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:13.826567888 CEST	49697	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:14.075243950 CEST	414	49697	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:14.075371981 CEST	49697	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:14.076153040 CEST	49697	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:14.581448078 CEST	414	49697	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:19.022104025 CEST	49698	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:19.563606977 CEST	414	49698	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:19.563736916 CEST	49698	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:19.579202890 CEST	49698	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:20.068938017 CEST	414	49698	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:24.265559912 CEST	49699	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:24.578030109 CEST	414	49699	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:24.578366041 CEST	49699	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:24.579011917 CEST	49699	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:25.069581985 CEST	414	49699	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:29.295825958 CEST	49700	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:29.573273897 CEST	414	49700	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:29.573376894 CEST	49700	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:29.573837042 CEST	49700	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:30.069685936 CEST	414	49700	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:34.268313885 CEST	49701	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:34.573151112 CEST	414	49701	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:34.573282957 CEST	49701	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:34.573657036 CEST	49701	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:35.068526030 CEST	414	49701	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:39.284648895 CEST	49702	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:39.576230049 CEST	414	49702	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:39.578665018 CEST	49702	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:39.579507113 CEST	49702	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:40.069488049 CEST	414	49702	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:44.197591066 CEST	49703	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:44.578819990 CEST	414	49703	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:44.579087019 CEST	49703	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:44.579682112 CEST	49703	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:45.071170092 CEST	414	49703	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:49.353243113 CEST	49704	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:49.573173046 CEST	414	49704	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:49.573282957 CEST	49704	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:49.605051994 CEST	49704	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:50.070497990 CEST	414	49704	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:54.453860998 CEST	49705	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:55.065051079 CEST	414	49705	192.169.69.26	192.168.2.3
Jun 4, 2023 04:42:55.065272093 CEST	49705	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:55.118761063 CEST	49705	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:42:55.573617935 CEST	414	49705	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:00.431969881 CEST	49706	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:01.064155102 CEST	414	49706	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:01.064308882 CEST	49706	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:01.065073013 CEST	49706	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:01.568650961 CEST	414	49706	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:06.146394968 CEST	49707	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:06.574738979 CEST	414	49707	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:06.574925900 CEST	49707	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:06.575464010 CEST	49707	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:07.072035074 CEST	414	49707	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:11.383093119 CEST	49708	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:11.571010113 CEST	414	49708	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:11.571146965 CEST	49708	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:11.588933945 CEST	49708	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:12.068942070 CEST	49708	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:12.070327044 CEST	414	49708	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:12.571326971 CEST	414	49708	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:16.366458893 CEST	49709	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:16.574939966 CEST	414	49709	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:16.575073957 CEST	49709	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:16.577032089 CEST	49709	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:17.070564985 CEST	414	49709	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:21.192884922 CEST	49710	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:21.573195934 CEST	414	49710	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:21.573338032 CEST	49710	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:21.603037119 CEST	49710	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:22.070581913 CEST	414	49710	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:26.181845903 CEST	49711	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:26.572562933 CEST	414	49711	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:26.574724913 CEST	49711	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:26.576728106 CEST	49711	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:27.069644928 CEST	414	49711	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:34.509677887 CEST	49712	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:35.065113068 CEST	414	49712	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:35.065305948 CEST	49712	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:35.065699100 CEST	49712	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:35.570178032 CEST	414	49712	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:40.214036942 CEST	49713	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:40.576226950 CEST	414	49713	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:40.576329947 CEST	49713	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:40.582603931 CEST	49713	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:41.069681883 CEST	414	49713	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:45.923980951 CEST	49714	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:46.568640947 CEST	414	49714	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:46.569830894 CEST	49714	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:46.593607903 CEST	49714	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:47.075848103 CEST	414	49714	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:51.273710012 CEST	49715	414	192.168.2.3	192.169.69.26
Jun 4, 2023 04:43:51.575884104 CEST	414	49715	192.169.69.26	192.168.2.3
Jun 4, 2023 04:43:51.576004982 CEST	49715	414	192.168.2.3	192.169.69.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 4, 2023 04:42:08.461453915 CEST	52387	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:42:08.584316015 CEST	53	52387	8.8.8.8	192.168.2.3
Jun 4, 2023 04:42:13.804982901 CEST	56924	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:42:13.825361967 CEST	53	56924	8.8.8.8	192.168.2.3
Jun 4, 2023 04:42:18.991372108 CEST	60625	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:42:19.019965887 CEST	53	60625	8.8.8.8	192.168.2.3
Jun 4, 2023 04:42:24.148152113 CEST	49302	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:42:24.261750937 CEST	53	49302	8.8.8.8	192.168.2.3
Jun 4, 2023 04:42:29.265285969 CEST	53975	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:42:29.294018984 CEST	53	53975	8.8.8.8	192.168.2.3
Jun 4, 2023 04:42:34.246910095 CEST	51139	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:42:34.267290115 CEST	53	51139	8.8.8.8	192.168.2.3
Jun 4, 2023 04:42:39.262290001 CEST	52955	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:42:39.283380985 CEST	53	52955	8.8.8.8	192.168.2.3
Jun 4, 2023 04:42:44.172225952 CEST	60582	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:42:44.195631981 CEST	53	60582	8.8.8.8	192.168.2.3
Jun 4, 2023 04:42:49.229825974 CEST	57134	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:42:49.352425098 CEST	53	57134	8.8.8.8	192.168.2.3
Jun 4, 2023 04:42:54.336741924 CEST	62050	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:42:54.450535059 CEST	53	62050	8.8.8.8	192.168.2.3
Jun 4, 2023 04:43:00.401382923 CEST	56042	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:43:00.430135012 CEST	53	56042	8.8.8.8	192.168.2.3
Jun 4, 2023 04:43:06.116441965 CEST	59636	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:43:06.145123959 CEST	53	59636	8.8.8.8	192.168.2.3
Jun 4, 2023 04:43:11.264379025 CEST	55638	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:43:11.382052898 CEST	53	55638	8.8.8.8	192.168.2.3
Jun 4, 2023 04:43:16.186063051 CEST	57704	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:43:16.313746929 CEST	53	57704	8.8.8.8	192.168.2.3
Jun 4, 2023 04:43:21.163583994 CEST	65320	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:43:21.191978931 CEST	53	65320	8.8.8.8	192.168.2.3
Jun 4, 2023 04:43:26.157421112 CEST	60767	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:43:26.178278923 CEST	53	60767	8.8.8.8	192.168.2.3
Jun 4, 2023 04:43:34.487503052 CEST	65107	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:43:34.508172035 CEST	53	65107	8.8.8.8	192.168.2.3
Jun 4, 2023 04:43:40.115076065 CEST	53848	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:43:40.144586086 CEST	53	53848	8.8.8.8	192.168.2.3
Jun 4, 2023 04:43:45.902225018 CEST	57571	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:43:45.922760963 CEST	53	57571	8.8.8.8	192.168.2.3
Jun 4, 2023 04:43:51.144181013 CEST	58691	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:43:51.269069910 CEST	53	58691	8.8.8.8	192.168.2.3
Jun 4, 2023 04:43:57.385121107 CEST	53305	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:43:57.499840975 CEST	53	53305	8.8.8.8	192.168.2.3
Jun 4, 2023 04:44:02.610562086 CEST	59433	53	192.168.2.3	8.8.8.8
Jun 4, 2023 04:44:02.639483929 CEST	53	59433	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 4, 2023 04:42:08.461453915 CEST	192.168.2.3	8.8.8.8	0xb877	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:13.804982901 CEST	192.168.2.3	8.8.8.8	0x5851	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:18.991372108 CEST	192.168.2.3	8.8.8.8	0xe43e	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:24.148152113 CEST	192.168.2.3	8.8.8.8	0x19ef	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:29.265285969 CEST	192.168.2.3	8.8.8.8	0x3894	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:34.246910095 CEST	192.168.2.3	8.8.8.8	0xb827	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:39.262290001 CEST	192.168.2.3	8.8.8.8	0xeca7	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:44.172225952 CEST	192.168.2.3	8.8.8.8	0x21c2	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:49.229825974 CEST	192.168.2.3	8.8.8.8	0xd1f	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:54.336741924 CEST	192.168.2.3	8.8.8.8	0x706e	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:00.401382923 CEST	192.168.2.3	8.8.8.8	0x8b26	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:06.116441965 CEST	192.168.2.3	8.8.8.8	0x3ccb	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:11.264379025 CEST	192.168.2.3	8.8.8.8	0x76f0	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:16.186063051 CEST	192.168.2.3	8.8.8.8	0x21fa	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:21.163583994 CEST	192.168.2.3	8.8.8.8	0x6884	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:26.157421112 CEST	192.168.2.3	8.8.8.8	0x8134	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:34.487503052 CEST	192.168.2.3	8.8.8.8	0x198d	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:40.115076065 CEST	192.168.2.3	8.8.8.8	0x686	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:45.902225018 CEST	192.168.2.3	8.8.8.8	0xaba2	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:51.144181013 CEST	192.168.2.3	8.8.8.8	0x8ad3	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:57.385121107 CEST	192.168.2.3	8.8.8.8	0x720d	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:44:02.610562086 CEST	192.168.2.3	8.8.8.8	0x682b	Standard query (0)	podzeye.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 4, 2023 04:42:08.584316015 CEST	8.8.8.8	192.168.2.3	0xb877	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:13.825361967 CEST	8.8.8.8	192.168.2.3	0x5851	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:19.019965887 CEST	8.8.8.8	192.168.2.3	0xe43e	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:24.261750937 CEST	8.8.8.8	192.168.2.3	0x19ef	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:29.294018984 CEST	8.8.8.8	192.168.2.3	0x3894	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:34.267290115 CEST	8.8.8.8	192.168.2.3	0xb827	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:39.283380985 CEST	8.8.8.8	192.168.2.3	0xeca7	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:44.195631981 CEST	8.8.8.8	192.168.2.3	0x21c2	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:49.352425098 CEST	8.8.8.8	192.168.2.3	0xd1f	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:42:54.450535059 CEST	8.8.8.8	192.168.2.3	0x706e	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:00.430135012 CEST	8.8.8.8	192.168.2.3	0x8b26	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:06.145123959 CEST	8.8.8.8	192.168.2.3	0x3ccb	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:11.382052898 CEST	8.8.8.8	192.168.2.3	0x76f0	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:16.313746929 CEST	8.8.8.8	192.168.2.3	0x21fa	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:21.191978931 CEST	8.8.8.8	192.168.2.3	0x6884	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:26.178278923 CEST	8.8.8.8	192.168.2.3	0x8134	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:34.508172035 CEST	8.8.8.8	192.168.2.3	0x198d	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:40.144586086 CEST	8.8.8.8	192.168.2.3	0x686	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:45.922760963 CEST	8.8.8.8	192.168.2.3	0xaba2	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:51.269069910 CEST	8.8.8.8	192.168.2.3	0x8ad3	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:43:57.499840975 CEST	8.8.8.8	192.168.2.3	0x720d	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
Jun 4, 2023 04:44:02.639483929 CEST	8.8.8.8	192.168.2.3	0x682b	No error (0)	podzeye.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	04:42:02
Start date:	04/06/2023
Path:	C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Imagebase:	0x2a0000
File size:	546816 bytes
MD5 hash:	81B7988B523FB109B834C76E7F0FEA10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.380153441.0000000009E78000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.375141713.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.380153441.0000000009D51000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: schtasks.exePID: 6060, Parent PID: 7144

General

Target ID:	1
Start time:	04:42:07
Start date:	04/06/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAqpXXDLkkJ" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA2.tmp
Imagebase:	0x8f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 6088, Parent PID: 6060

General

Target ID:	2
Start time:	04:42:07
Start date:	04/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exePID: 5756, Parent PID: 7144

General

Target ID:	3
Start time:	04:42:07
Start date:	04/06/2023
Path:	C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Imagebase:	0x460000
File size:	546816 bytes
MD5 hash:	81B7988B523FB109B834C76E7F0FEA10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.631138634.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.628751592.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Disassembly

⊘No disassembly

Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.376251483.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000000.362311264.00000000002A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameConcurrentExclusiveTaskSchedul.exe8 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.374291589.000000000098B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.379846502.0000000006E00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.377846912.0000000005360000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEnvoySinks.dll6 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.375141713.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEnvoySinks.dll6 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000000.00000002.374291589.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameConcurrentExclusiveTaskSchedul.exe8 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.629776621.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.631138634.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.640270105.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.635994119.0000000003C84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.640558600.0000000005520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe, 00000003.00000002.640443999.0000000005500000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe
Source: HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe	Binary or memory string: OriginalFilenameConcurrentExclusiveTaskSchedul.exe8 vs HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe.log

C:\Users\user\AppData\Local\Temp\tmpBEA2.tmp

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\jAqpXXDLkkJ.exe

C:\Users\user\AppData\Roaming\jAqpXXDLkkJ.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre