Loading ...

Play interactive tourEdit tour

Analysis Report P.O List.exe

Overview

General Information

Sample Name:P.O List.exe
Analysis ID:298630
MD5:ab68bace36ec6c744162c32cf3f83f90
SHA1:49f2d7c9cc46ee836bd9648df43f888d70405a14
SHA256:f9dfd82d610e342a0d0a21dad1df689c979f863ee1b9f978c56dee49c5bfbb69
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • P.O List.exe (PID: 3284 cmdline: 'C:\Users\user\Desktop\P.O List.exe' MD5: AB68BACE36EC6C744162C32CF3F83F90)
    • RegSvcs.exe (PID: 3628 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • RegSvcs.exe (PID: 3028 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • dhcpmon.exe (PID: 6564 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.360766095.0000000004047000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xa80ad:$x1: NanoCore.ClientPluginHost
  • 0xda8cd:$x1: NanoCore.ClientPluginHost
  • 0xa80ea:$x2: IClientNetworkHost
  • 0xda90a:$x2: IClientNetworkHost
  • 0xabc1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0xde43d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.360766095.0000000004047000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.360766095.0000000004047000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xa7e15:$a: NanoCore
    • 0xa7e25:$a: NanoCore
    • 0xa8059:$a: NanoCore
    • 0xa806d:$a: NanoCore
    • 0xa80ad:$a: NanoCore
    • 0xda635:$a: NanoCore
    • 0xda645:$a: NanoCore
    • 0xda879:$a: NanoCore
    • 0xda88d:$a: NanoCore
    • 0xda8cd:$a: NanoCore
    • 0xa7e74:$b: ClientPlugin
    • 0xa8076:$b: ClientPlugin
    • 0xa80b6:$b: ClientPlugin
    • 0xda694:$b: ClientPlugin
    • 0xda896:$b: ClientPlugin
    • 0xda8d6:$b: ClientPlugin
    • 0xa7f9b:$c: ProjectData
    • 0xda7bb:$c: ProjectData
    • 0xa89a2:$d: DESCrypto
    • 0xdb1c2:$d: DESCrypto
    • 0xb036e:$e: KeepAlive
    Process Memory Space: P.O List.exe PID: 3284JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 3028, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: P.O List.exeVirustotal: Detection: 34%Perma Link
      Source: P.O List.exeReversingLabs: Detection: 22%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.360766095.0000000004047000.00000004.00000001.sdmp, type: MEMORY
      Machine Learning detection for sampleShow sources
      Source: P.O List.exeJoe Sandbox ML: detected

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49734 -> 79.134.225.109:1985
      Source: global trafficTCP traffic: 192.168.2.6:49734 -> 79.134.225.109:1985
      Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.109
      Source: P.O List.exe, 00000001.00000003.321398201.000000000528D000.00000004.00000001.sdmp, P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: P.O List.exe, 00000001.00000003.330896379.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: P.O List.exe, 00000001.00000003.327994168.000000000526F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: P.O List.exe, 00000001.00000003.329351422.0000000005262000.00000004.00000001.sdmp, P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: P.O List.exe, 00000001.00000003.330896379.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomt
      Source: P.O List.exe, 00000001.00000003.330896379.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
      Source: P.O List.exe, 00000001.00000003.330896379.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdFS
      Source: P.O List.exe, 00000001.00000003.330896379.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
      Source: P.O List.exe, 00000001.00000003.330896379.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlic
      Source: P.O List.exe, 00000001.00000003.330896379.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsief
      Source: P.O List.exe, 00000001.00000003.354634109.0000000005250000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comzana
      Source: P.O List.exe, 00000001.00000003.321276933.000000000528D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: P.O List.exe, 00000001.00000003.321241176.000000000528D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comWhd
      Source: P.O List.exe, 00000001.00000003.321211863.000000000528D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
      Source: P.O List.exe, 00000001.00000003.321211863.000000000528D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comXd
      Source: P.O List.exe, 00000001.00000003.322713752.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
      Source: P.O List.exe, 00000001.00000003.322333367.0000000005261000.00000004.00000001.sdmp, P.O List.exe, 00000001.00000003.322293428.000000000525E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: P.O List.exe, 00000001.00000003.322256418.0000000005253000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn3j
      Source: P.O List.exe, 00000001.00000003.322333367.0000000005261000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
      Source: P.O List.exe, 00000001.00000003.322256418.0000000005253000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnava
      Source: P.O List.exe, 00000001.00000003.322186429.0000000005253000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cno
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: P.O List.exe, 00000001.00000003.325348172.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: P.O List.exe, 00000001.00000003.325348172.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/#
      Source: P.O List.exe, 00000001.00000003.325348172.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.com
      Source: P.O List.exe, 00000001.00000003.325348172.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
      Source: P.O List.exe, 00000001.00000003.325348172.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
      Source: P.O List.exe, 00000001.00000003.325348172.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
      Source: P.O List.exe, 00000001.00000003.325348172.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y01
      Source: P.O List.exe, 00000001.00000003.325621398.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0t
      Source: P.O List.exe, 00000001.00000003.325348172.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
      Source: P.O List.exe, 00000001.00000003.325348172.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ital
      Source: P.O List.exe, 00000001.00000003.325348172.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: P.O List.exe, 00000001.00000003.325621398.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/f
      Source: P.O List.exe, 00000001.00000003.325348172.0000000005256000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i
      Source: P.O List.exe, 00000001.00000003.321038713.00000000010AD000.00000004.00000001.sdmp, P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: P.O List.exe, 00000001.00000003.321038713.00000000010AD000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt4
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: P.O List.exe, 00000001.00000003.324202214.000000000526B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comz
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: P.O List.exe, 00000001.00000003.331360941.000000000526F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: P.O List.exe, 00000001.00000003.327668486.000000000526F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dedc
      Source: P.O List.exe, 00000001.00000003.327668486.000000000526F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dei
      Source: P.O List.exe, 00000001.00000002.361962659.0000000005340000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: dhcpmon.exe, 00000008.00000002.390930561.0000000000E38000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.360766095.0000000004047000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000001.00000002.360766095.0000000004047000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.360766095.0000000004047000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_05100AE6 NtQuerySystemInformation,1_2_05100AE6
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_05100AAB NtQuerySystemInformation,1_2_05100AAB
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_007620501_2_00762050
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA56301_2_02AA5630
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA73E81_2_02AA73E8
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA7B301_2_02AA7B30
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA93001_2_02AA9300
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAC0081_2_02AAC008
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA84781_2_02AA8478
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA18481_2_02AA1848
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAF9A01_2_02AAF9A0
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAB5C81_2_02AAB5C8
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAE5D81_2_02AAE5D8
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA92C41_2_02AA92C4
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAAA291_2_02AAAA29
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA56211_2_02AA5621
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAAA381_2_02AAAA38
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA2E581_2_02AA2E58
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AABF801_2_02AABF80
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA739C1_2_02AA739C
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA9FE81_2_02AA9FE8
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAB3E01_2_02AAB3E0
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAAFE01_2_02AAAFE0
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAAFD01_2_02AAAFD0
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAB3D01_2_02AAB3D0
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA67181_2_02AA6718
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA7F501_2_02AA7F50
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAACC01_2_02AAACC0
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA68281_2_02AA6828
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA18391_2_02AA1839
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAB5B91_2_02AAB5B9
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAB1E01_2_02AAB1E0
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAB1D01_2_02AAB1D0
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B526301_2_02B52630
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B523781_2_02B52378
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B528A81_2_02B528A8
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B528981_2_02B52898
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B512F01_2_02B512F0
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B512E01_2_02B512E0
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B510D01_2_02B510D0
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B506DC1_2_02B506DC
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B510C01_2_02B510C0
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B510C31_2_02B510C3
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B526221_2_02B52622
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B506101_2_02B50610
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B50C041_2_02B50C04
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B500061_2_02B50006
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B500701_2_02B50070
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B506581_2_02B50658
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B50D801_2_02B50D80
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B507181_2_02B50718
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B507751_2_02B50775
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B50D781_2_02B50D78
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B523681_2_02B52368
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA01001_2_02AA0100
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AA01101_2_02AA0110
      Source: P.O List.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: P.O List.exeBinary or memory string: OriginalFilename vs P.O List.exe
      Source: P.O List.exe, 00000001.00000002.366262939.00000000070B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs P.O List.exe
      Source: P.O List.exe, 00000001.00000002.365754125.0000000006E70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs P.O List.exe
      Source: P.O List.exe, 00000001.00000002.361503180.0000000005120000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHutaba.dll, vs P.O List.exe
      Source: P.O List.exeBinary or memory string: OriginalFilenamec vs P.O List.exe
      Source: 00000001.00000002.360766095.0000000004047000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.360766095.0000000004047000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: P.O List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.evad.winEXE@7/8@0/1
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_051005DE AdjustTokenPrivileges,1_2_051005DE
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_051005A7 AdjustTokenPrivileges,1_2_051005A7
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\P.O List.exe.logJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeMutant created: \Sessions\1\BaseNamedObjects\iGpeKxjfRGbtyLDZoRCcazYU
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6849f433-163e-43fe-8f9b-5548541e223d}
      Source: P.O List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\P.O List.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: P.O List.exeVirustotal: Detection: 34%
      Source: P.O List.exeReversingLabs: Detection: 22%
      Source: unknownProcess created: C:\Users\user\Desktop\P.O List.exe 'C:\Users\user\Desktop\P.O List.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\P.O List.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: P.O List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\P.O List.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: P.O List.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
      Source: Binary string: mscorrc.pdb source: P.O List.exe, 00000001.00000002.365754125.0000000006E70000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: P.O List.exe, Form1.cs.Net Code: ResumeLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.0.P.O List.exe.760000.0.unpack, Form1.cs.Net Code: ResumeLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.2.P.O List.exe.760000.0.unpack, Form1.cs.Net Code: ResumeLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02AAC497 push esp; iretd 1_2_02AAC499
      Source: C:\Users\user\Desktop\P.O List.exeCode function: 1_2_02B538BC push ebp; retf 1_2_02B538BE
      Source: initial sampleStatic PE information: section name: .text entropy: 7.97359216598
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: P.O List.exe PID: 3284, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: P.O List.exe, 00000001.00000002.357026367.0000000002F81000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: P.O List.exe, 00000001.00000002.357026367.0000000002F81000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\P.O List.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 380Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 1013Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 711Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 655Jump to behavior
      Source: C:\Users\user\Desktop\P.O List.exe TID: 4828Thread sleep time: -41500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exe TID: 4680Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4516Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: P.O List.exe, 00000001.00000002.357026367.0000000002F81000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: P.O List.exe, 00000001.00000002.357026367.0000000002F81000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: P.O List.exe, 00000001.00000002.357026367.0000000002F81000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: P.O List.exe, 00000001.00000002.357026367.0000000002F81000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: P.O List.exe, 00000001.00000002.357026367.0000000002F81000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: P.O List.exe, 00000001.00000002.357026367.0000000002F81000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: P.O List.exe, 00000001.00000002.357026367.0000000002F81000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: P.O List.exe, 00000001.00000002.357026367.0000000002F81000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: C:\Users\user\Desktop\P.O List.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\P.O List.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\P.O List.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000Jump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000Jump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000Jump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 10F5008Jump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
      Source: RegSvcs.exe, 00000004.00000003.383470437.00000000067D6000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: RegSvcs.exe, 00000004.00000003.431986660.00000000067C8000.00000004.00000001.sdmpBinary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\P.O List.exeQueries volume information: C:\Windows