Loading ...

Play interactive tourEdit tour

Analysis Report 1PO_4100184440.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:167281
Start date:25.08.2019
Start time:20:39:04
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 48s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:1PO_4100184440.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@18/8@23/1
EGA Information:
  • Successful, ratio: 71.4%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 82%
  • Number of executed functions: 139
  • Number of non-executed functions: 237
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 67.27.150.254, 8.247.210.254, 67.24.27.254, 8.253.208.120, 67.27.153.126, 8.247.209.126, 8.247.209.254, 8.247.211.126, 67.24.35.254, 8.248.5.254
  • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net
  • Execution Graph export aborted for target RegAsm.exe, PID 5036 because it is empty
  • Execution Graph export aborted for target dpapimig.bat, PID 4648 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Nanocore
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts2Scripting111Registry Run Keys / Startup Folder11Exploitation for Privilege Escalation1Software Packing11Input Capture21System Time Discovery2Remote File Copy1Input Capture21Data Encrypted11Uncommonly Used Port1
Replication Through Removable MediaExecution through API1Valid Accounts2Valid Accounts2Disabling Security Tools11Network SniffingAccount Discovery1Remote ServicesClipboard Data2Exfiltration Over Other Network MediumCommonly Used Port1
Drive-by CompromiseGraphical User Interface2Scheduled Task1Access Token Manipulation21Deobfuscate/Decode Files or Information11Input CaptureSecurity Software Discovery41Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1
Exploit Public-Facing ApplicationScheduled Task1System FirmwareProcess Injection111Scripting111Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol1
Spearphishing LinkCommand-Line InterfaceShortcut ModificationScheduled Task1Obfuscated Files or Information2Account ManipulationSystem Information Discovery14Shared WebrootData StagedScheduled TransferRemote Access Tools1
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceMasquerading1Brute ForceQuery Registry1Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Non-Application Layer Protocol1
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskValid Accounts2Two-Factor Authentication InterceptionProcess Discovery3Pass the HashEmail CollectionExfiltration Over Command and Control ChannelStandard Application Layer Protocol11
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation21Bash HistoryApplication Window Discovery11Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection111Input PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption
Hardware AdditionsPowerShellChange Default File AssociationExploitation for Privilege EscalationDLL Side-Loading1KeychainProcess DiscoveryTaint Shared ContentAudio CaptureConnection Proxy

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: 1PO_4100184440.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 15.3.dpapimig.bat.3550000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 12.3.dpapimig.bat.3140000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C64696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C64696
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00C6C9C7
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6C93C FindFirstFileW,FindClose,0_2_00C6C93C
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6F200
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6F35D
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C6F65E
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00164696 GetFileAttributesW,FindFirstFileW,FindClose,12_2_00164696
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016C93C FindFirstFileW,FindClose,12_2_0016C93C
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,12_2_0016C9C7
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0016F200
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0016F35D
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,12_2_0016F65E
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00163A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_00163A2B
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00163D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_00163D4E
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,12_2_0016BF27

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49709 -> 194.5.98.88:12
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: austin12.duckdns.org
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C725E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00C725E2
Found strings which match to known social media urlsShow sources
Source: RegAsm.exe, 00000002.00000003.631867023.0000000004151000.00000004.00000001.sdmpString found in binary or memory: youtube equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: austin12.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C7425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C7425A
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C7425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C7425A
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C60219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00C60219
Installs a raw input device (often for capturing keystrokes)Show sources
Source: RegAsm.exe, 00000002.00000002.1044658972.00000000040F7000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0000000C.00000003.686324153.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000C.00000003.680662581.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000000.00000003.624888751.0000000003FE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000F.00000003.705203679.00000000038C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000F.00000003.703479253.0000000003C78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000C.00000003.684391636.0000000003142000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000000.00000003.624547404.000000000453C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000C.00000003.682330715.00000000038C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000F.00000003.706826938.0000000003C78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000C.00000003.686912400.00000000033D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000F.00000003.703209984.0000000003C41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000F.00000003.704865084.0000000003CDF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000000.00000003.624958385.0000000004509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000F.00000003.705485503.0000000000B43000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000002.00000002.1045316432.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000002.00000002.1045316432.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Nanocore RAT
Source: 00000000.00000003.624710999.00000000044A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000000.00000003.624627051.00000000045A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000000.00000003.623027301.0000000003FE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000C.00000003.685208058.000000000392C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000000.00000003.623334885.00000000044D5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000000.00000003.622792571.0000000004471000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000F.00000003.702675137.0000000000B43000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000F.00000003.704671691.0000000003552000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000010.00000002.728203647.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000D.00000002.708878373.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000F.00000003.706310769.0000000003C41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000C.00000003.687006392.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 0000000C.00000003.681287150.00000000033D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000002.00000002.1040960092.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000000.00000003.624416578.0000000003D42000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000002.00000002.1045966414.0000000005DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000002.00000002.1045966414.0000000005DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Nanocore RAT
Source: 0000000C.00000003.685589610.0000000003990000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 00000000.00000003.624786204.0000000004471000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT
Source: 15.3.dpapimig.bat.3550000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT
Source: 15.3.dpapimig.bat.3550000.0.unpack, type: UNPACKEDPEMatched rule: Detects Nanocore RAT
Source: 2.2.RegAsm.exe.5440000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT
Source: 2.2.RegAsm.exe.5440000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Nanocore RAT
Source: 2.2.RegAsm.exe.5dd0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT
Source: 2.2.RegAsm.exe.5dd0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Nanocore RAT
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Nanocore RAT
Source: 12.3.dpapimig.bat.3140000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT
Source: 12.3.dpapimig.bat.3140000.0.unpack, type: UNPACKEDPEMatched rule: Detects Nanocore RAT
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Nanocore RAT
Source: 2.2.RegAsm.exe.5dd0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT
Source: 2.2.RegAsm.exe.5dd0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Nanocore RAT
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Nanocore RAT
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Nanocore RAT
Binary is likely a compiled AutoIt script fileShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: This is a third-party compiled AutoIt script.0_2_00C03B4C
Source: 1PO_4100184440.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: 1PO_4100184440.exe, 00000000.00000000.617704416.0000000000C8F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: This is a third-party compiled AutoIt script.12_2_00103B4C
Source: dpapimig.batString found in binary or memory: This is a third-party compiled AutoIt script.
Source: dpapimig.bat, 0000000C.00000002.698125020.000000000018F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: dpapimig.bat, 0000000F.00000000.697349756.000000000018F000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: dpapimig.bat, 0000000F.00000000.697349756.000000000018F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: 1PO_4100184440.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: 1PO_4100184440.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: 1PO_4100184440.exe
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeDropped file: Set objShell = WScript.CreateObject("WScript.Shell")Jump to dropped file
Contains functionality to call native functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_05401A02 NtQuerySystemInformation,2_2_05401A02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_054019C7 NtQuerySystemInformation,2_2_054019C7
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C640B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00C640B1
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C58858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C58858
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C6545F
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,12_2_0016545F
Creates mutexesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{743bf3e9-afe3-4b1c-afbb-93b1b9bfcf40}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4572:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C0E0600_2_00C0E060
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C806650_2_00C80665
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C0E8000_2_00C0E800
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C80AE20_2_00C80AE2
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C233C70_2_00C233C7
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C0FE400_2_00C0FE40
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C8804A0_2_00C8804A
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C141400_2_00C14140
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C224050_2_00C22405
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C365220_2_00C36522
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C3267E0_2_00C3267E
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C168430_2_00C16843
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C2283A0_2_00C2283A
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C389DF0_2_00C389DF
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C36A940_2_00C36A94
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C18A0E0_2_00C18A0E
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C5EB070_2_00C5EB07
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C68B130_2_00C68B13
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C2CD610_2_00C2CD61
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C370060_2_00C37006
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C131900_2_00C13190
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C1710E0_2_00C1710E
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C012870_2_00C01287
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C2F4190_2_00C2F419
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C216C40_2_00C216C4
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C156800_2_00C15680
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C158C00_2_00C158C0
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C278D30_2_00C278D3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_052E2FA82_2_052E2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_052EAF882_2_052EAF88
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_052E86B82_2_052E86B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_052E38502_2_052E3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_052E23A02_2_052E23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_052E32BB2_2_052E32BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_052E92B82_2_052E92B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_052E306F2_2_052E306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_052E937F2_2_052E937F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_02EC01C85_2_02EC01C8
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0010E06012_2_0010E060
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0018066512_2_00180665
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0010E80012_2_0010E800
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00180AE212_2_00180AE2
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_001233C712_2_001233C7
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0010FE4012_2_0010FE40
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0018804A12_2_0018804A
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0011414012_2_00114140
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0012240512_2_00122405
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0013652212_2_00136522
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0013267E12_2_0013267E
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0012283A12_2_0012283A
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0011684312_2_00116843
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_001389DF12_2_001389DF
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00118A0E12_2_00118A0E
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00136A9412_2_00136A94
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00168B1312_2_00168B13
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0015EB0712_2_0015EB07
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0012CD6112_2_0012CD61
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0013700612_2_00137006
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0011710E12_2_0011710E
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0011319012_2_00113190
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0010128712_2_00101287
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0012F41912_2_0012F419
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0011568012_2_00115680
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_001216C412_2_001216C4
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_001278D312_2_001278D3
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_001158C012_2_001158C0
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0012DBB512_2_0012DBB5
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00121BB812_2_00121BB8
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00139D0512_2_00139D05
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00121FD012_2_00121FD0
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0012BFE612_2_0012BFE6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_04FE2FA813_2_04FE2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_04FE23A013_2_04FE23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_04FE385013_2_04FE3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_04FE306F13_2_04FE306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D123A016_2_00D123A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D12FA816_2_00D12FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D1385016_2_00D13850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D1306F16_2_00D1306F
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: String function: 00C07F41 appears 33 times
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: String function: 00C20D27 appears 68 times
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: String function: 00120D27 appears 70 times
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: String function: 00128B40 appears 42 times
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: String function: 00107F41 appears 35 times
PE file contains strange resourcesShow sources
Source: 1PO_4100184440.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1PO_4100184440.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1PO_4100184440.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1PO_4100184440.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1PO_4100184440.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1PO_4100184440.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dpapimig.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeFile read: C:\Users\user\Desktop\1PO_4100184440.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: wow64log.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
Yara signature matchShow sources
Source: 0000000C.00000003.686324153.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.686324153.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.680662581.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.680662581.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.624888751.0000000003FE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.624888751.0000000003FE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000003.705203679.00000000038C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.705203679.00000000038C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000003.703479253.0000000003C78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.703479253.0000000003C78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.684391636.0000000003142000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.684391636.0000000003142000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.624547404.000000000453C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.624547404.000000000453C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.682330715.00000000038C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.682330715.00000000038C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000003.706826938.0000000003C78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.706826938.0000000003C78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.686912400.00000000033D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.686912400.00000000033D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000003.703209984.0000000003C41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.703209984.0000000003C41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000003.704865084.0000000003CDF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.704865084.0000000003CDF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.624958385.0000000004509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.624958385.0000000004509000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000003.705485503.0000000000B43000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.705485503.0000000000B43000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1045316432.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.1045316432.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.624710999.00000000044A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.624710999.00000000044A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.624627051.00000000045A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.624627051.00000000045A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.623027301.0000000003FE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.623027301.0000000003FE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.685208058.000000000392C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.685208058.000000000392C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.623334885.00000000044D5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.623334885.00000000044D5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.622792571.0000000004471000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.622792571.0000000004471000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000003.702675137.0000000000B43000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.702675137.0000000000B43000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000003.704671691.0000000003552000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.704671691.0000000003552000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.728203647.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.728203647.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.708878373.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.708878373.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000003.706310769.0000000003C41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.706310769.0000000003C41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.687006392.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.687006392.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.681287150.00000000033D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.681287150.00000000033D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1040960092.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.1040960092.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.624416578.0000000003D42000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.624416578.0000000003D42000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1045966414.0000000005DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.1045966414.0000000005DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000003.685589610.0000000003990000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.685589610.0000000003990000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.624786204.0000000004471000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.624786204.0000000004471000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 15.3.dpapimig.bat.3550000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.3.dpapimig.bat.3550000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.3.dpapimig.bat.3550000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RegAsm.exe.5440000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.RegAsm.exe.5440000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegAsm.exe.5dd0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.RegAsm.exe.5dd0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 12.3.dpapimig.bat.3140000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.dpapimig.bat.3140000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.3.dpapimig.bat.3140000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RegAsm.exe.5dd0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.RegAsm.exe.5dd0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Source: 12.3.dpapimig.bat.3140000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.3.dpapimig.bat.3140000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 12.3.dpapimig.bat.3140000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
.NET source code contains many API calls related to securityShow sources
Source: 15.3.dpapimig.bat.3550000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.3.dpapimig.bat.3550000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.3.dpapimig.bat.3140000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.3.dpapimig.bat.3140000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@18/8@23/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6A2D5 GetLastError,FormatMessageW,0_2_00C6A2D5
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C58713 AdjustTokenPrivileges,CloseHandle,0_2_00C58713
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C58CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C58CC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_054017C2 AdjustTokenPrivileges,2_2_054017C2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_0540178B AdjustTokenPrivileges,2_2_0540178B
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00158713 AdjustTokenPrivileges,CloseHandle,12_2_00158713
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00158CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,12_2_00158CC3
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C6B59E
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C63E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,0_2_00C63E91
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C786D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00C786D0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C04FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C04FE9
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeFile created: C:\Users\Public\dexkxzbuekaexumzbabc.vbsJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeFile created: C:\AppData\Local\Temp\adtschemaJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\dexkxzbuekaexumzbabc.vbs'
PE file has an executable .text section and no other executable sectionShow sources
Source: 1PO_4100184440.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\1PO_4100184440.exe 'C:\Users\user\Desktop\1PO_4100184440.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmpFE22.tmp'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\dexkxzbuekaexumzbabc.vbs'
Source: unknownProcess created: C:\AppData\Local\Temp\adtschema\dpapimig.bat 'C:\AppData\Local\Temp\adtschema\dpapimig.bat'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\Public\dexkxzbuekaexumzbabc.vbs'
Source: unknownProcess created: C:\AppData\Local\Temp\adtschema\dpapimig.bat 'C:\AppData\Local\Temp\adtschema\dpapimig.bat'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: C:\Users\user\Desktop\1PO_4100184440.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmpFE22.tmp'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\AppData\Local\Temp\adtschema\dpapimig.bat 'C:\AppData\Local\Temp\adtschema\dpapimig.bat' Jump to behavior
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\AppData\Local\Temp\adtschema\dpapimig.bat 'C:\AppData\Local\Temp\adtschema\dpapimig.bat' Jump to behavior
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: 1PO_4100184440.exeStatic file information: File size 1409026 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
PE file contains a mix of data directories often seen in goodwareShow sources
Source: 1PO_4100184440.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1PO_4100184440.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1PO_4100184440.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1PO_4100184440.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1PO_4100184440.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1PO_4100184440.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
PE file contains a debug data directoryShow sources
Source: 1PO_4100184440.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Windows\exe\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.1042504276.0000000002C16000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.1042504276.0000000002C16000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.1042504276.0000000002C16000.00000004.00000040.sdmp
Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000002.00000002.1042504276.0000000002C16000.00000004.00000040.sdmp
Source: Binary string: indows\RegAsm.pdbpdbAsm.pdbUs source: RegAsm.exe, 00000002.00000002.1042504276.0000000002C16000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\RegAsm.pdb^ source: RegAsm.exe, 00000002.00000002.1042504276.0000000002C16000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000002.00000002.1045712442.00000000059E0000.00000002.00000001.sdmp
PE file contains a valid data directory to section mappingShow sources
Source: 1PO_4100184440.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1PO_4100184440.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1PO_4100184440.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1PO_4100184440.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1PO_4100184440.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.3.dpapimig.bat.3140000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.3.dpapimig.bat.3140000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.3.dpapimig.bat.3550000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.3.dpapimig.bat.3550000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C7C304 LoadLibraryA,GetProcAddress,0_2_00C7C304
PE file contains an invalid checksumShow sources
Source: dpapimig.bat.0.drStatic PE information: real checksum: 0x12f5c7 should be: 0x15a595
Source: 1PO_4100184440.exeStatic PE information: real checksum: 0x12f5c7 should be: 0x15a591
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C28B85 push ecx; ret 0_2_00C28B98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_01339D5A push eax; retf 2_2_01339D5D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_01339D5E pushad ; retf 2_2_01339D61
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_013374B4 push ecx; ret 2_2_013374B5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_013374C0 push ebp; ret 2_2_013374C1
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0010C590 push eax; retn 0010h12_2_0010C599
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00128B85 push ecx; ret 12_2_00128B98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D1096D push ss; ret 16_2_00D10974
.NET source code contains many randomly named methodsShow sources
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 0.3.1PO_4100184440.exe.3d40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.3.dpapimig.bat.3140000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 12.3.dpapimig.bat.3140000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.3.dpapimig.bat.3550000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.3.dpapimig.bat.3550000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 16.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeFile created: C:\AppData\Local\Temp\adtschema\dpapimig.batJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeFile created: C:\AppData\Local\Temp\adtschema\dpapimig.batJump to dropped file

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run dexkxzbuekaexumzbabc C:\Users\Public\dexkxzbuekaexumzbabc.vbsJump to behavior
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmpFE22.tmp'
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run dexkxzbuekaexumzbabcJump to behavior
Source: C:\Users\user\Desktop\1PO_4100184440.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run dexkxzbuekaexumzbabcJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C04A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C04A35
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C855FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00C855FD
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00104A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,12_2_00104A35
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_001855FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,12_2_001855FD
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C233C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C233C7
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PO_4100184440.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 923Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 743Jump to behavior
Found evasive API chain (date check)Show sources
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\1PO_4100184440.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-75330
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeAPI coverage: 7.2 %
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batAPI coverage: 5.1 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2572Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4940Thread sleep time: -32000s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1680Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5108Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3212Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C64696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C64696
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00C6C9C7
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6C93C FindFirstFileW,FindClose,0_2_00C6C93C
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6F200
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6F35D
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C6F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C6F65E
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00164696 GetFileAttributesW,FindFirstFileW,FindClose,12_2_00164696
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016C93C FindFirstFileW,FindClose,12_2_0016C93C
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,12_2_0016C9C7
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0016F200
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0016F35D
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,12_2_0016F65E
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00163A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_00163A2B
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00163D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_00163D4E
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0016BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,12_2_0016BF27
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C04AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C04AFE
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: RegAsm.exe, 00000002.00000002.1046458858.0000000006680000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000002.00000002.1046458858.0000000006680000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000002.00000002.1046458858.0000000006680000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000002.00000002.1046458858.0000000006680000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeAPI call chain: ExitProcess graph end nodegraph_0-74931
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)Show sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C741FD BlockInput,0_2_00C741FD
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C03B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C03B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_00135CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,12_2_00135CCC
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C7C304 LoadLibraryA,GetProcAddress,0_2_00C7C304
Contains functionality to read the PEBShow sources
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 15_3_01BB00BE mov esi, dword ptr fs:[00000030h]15_3_01BB00BE
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 15_3_01BB00BE mov esi, dword ptr fs:[00000030h]15_3_01BB00BE
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C581F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00C581F7
Enables debug privilegesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C2A364 SetUnhandledExceptionFilter,0_2_00C2A364
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C2A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C2A395
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0012A364 SetUnhandledExceptionFilter,12_2_0012A364
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 12_2_0012A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0012A395
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processesShow sources
Source: C:\AppData\Local\Temp\adtschema\dpapimig.batCode function: 15_3_01BB00BE CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,15_3_01BB00BE
Contains functionality to execute programs as a different userShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C58C93 LogonUserW,0_2_00C58C93
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C03B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C03B4C
Contains functionality to simulate keystroke pressesShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C04A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C04A35
Contains functionality to simulate mouse eventsShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C64EC9 mouse_event,0_2_00C64EC9
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmpFE22.tmp'Jump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C581F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00C581F7
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C64C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C64C03
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 1PO_4100184440.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegAsm.exe, 00000002.00000002.1044498376.000000000340A000.00000004.00000001.sdmpBinary or memory string: Program Managere
Source: dpapimig.bat, 0000000C.00000002.699557093.0000000000310000.00000004.00000020.sdmpBinary or memory string: WinExists("Program Manager") = "0"
Source: dpapimig.bat, 0000000C.00000002.699557093.0000000000310000.00000004.00000020.sdmpBinary or memory string: Program Manager&
Source: RegAsm.exe, 00000002.00000002.1042058264.0000000001550000.00000002.00000001.sdmp, dpapimig.bat, 0000000F.00000003.707719608.000000000389E000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: 1PO_4100184440.exe, RegAsm.exe, 00000002.00000002.1042058264.0000000001550000.00000002.00000001.sdmp, dpapimig.batBinary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000002.00000002.1042058264.0000000001550000.00000002.00000001.sdmpBinary or memory string: Progman
Source: dpapimig.bat, 0000000C.00000003.690954933.00000000033BD000.00000004.00000001.sdmpBinary or memory string: Program Manager3a
Source: 1PO_4100184440.exe, 00000000.00000003.625308487.0000000003FD1000.00000004.00000001.sdmpBinary or memory string: Program ManagerSs0
Source: RegAsm.exe, 00000002.00000002.1042058264.0000000001550000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: RegAsm.exe, 00000002.00000002.1043514278.0000000003104000.00000004.00000001.sdmp, KB_3998281.dat.2.drBinary or memory string: [explorer] Program Manager

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C2886B cpuid 0_2_00C2886B
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C350D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00C350D7
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C42230 GetUserNameW,0_2_00C42230
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C3418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00C3418A
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeCode function: 0_2_00C04AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C04AFE
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\1PO_4100184440.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
OS version to string mapping found (often used in BOTs)Show sources
Source: dpapimig.batBinary or memory string: WIN_81
Source: dpapimig.batBinary or memory string: WIN_XP
Source: dpapimig.batBinary or memory string: WIN_XPe
Source: dpapimig.batBinary or memory string: WIN_VISTA
Source: dpapimig.batBinary or memory string: WIN_7
Source: dpapimig.batBinary or memory string: WIN_8
Source: 1PO_4100184440.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: 1PO_4100184440.exe, 00000000.00000003.624888751.0000000003FE7000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000002.00000002.1045316432.0000000005440000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000002.00000002.1045316432.0000000005440000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Vari
Source: dpapimig.bat, 0000000C.00000003.686324153.0000000003861000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000D.00000002.708878373.0000000000402000.00000020.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000D.00000002.712703857.0000000002ED0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Vari
Source: dpapimig.bat, 0000000F.00000003.703479253.0000000003C78000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000010.00000002.728203647.0000000000402000.00000020.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000010.00000002.732077468.0000000003CB0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Vari