Loading ...

Play interactive tourEdit tour

Analysis Report ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe

Overview

General Information

Sample Name:ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe
Analysis ID:298740
MD5:d4dca448733f1efa1bd5795ee6764be3
SHA1:00175a2050235056bcfc4c4c37c11b0d1fac33b9
SHA256:92623796596c411c3458b0ba32673dfa0bb1fcdb5a2b42c07b0a3b9d6b044a21
Tags:exe

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe (PID: 6616 cmdline: 'C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe' MD5: D4DCA448733F1EFA1BD5795EE6764BE3)
    • duypca.exe (PID: 4348 cmdline: 'C:\Users\user\AppData\Roaming\ufdqk\duypca.exe' MD5: D4DCA448733F1EFA1BD5795EE6764BE3)
      • RegAsm.exe (PID: 5312 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • RegAsm.exe (PID: 1020 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
        • schtasks.exe (PID: 7020 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpCCF6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 7048 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD052.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegAsm.exe (PID: 6140 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6264 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 4404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • duypca.exe (PID: 6500 cmdline: 'C:\Users\user\AppData\Roaming\ufdqk\duypca.exe' MD5: D4DCA448733F1EFA1BD5795EE6764BE3)
  • dhcpmon.exe (PID: 724 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • duypca.exe (PID: 6712 cmdline: 'C:\Users\user\AppData\Roaming\ufdqk\duypca.exe' MD5: D4DCA448733F1EFA1BD5795EE6764BE3)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["194.5.97.179:4488"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\ufdqk\Egabeq.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
  • 0x14:$file: URL=file:///
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.507975588.00000000040B9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.507975588.00000000040B9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x356d:$a: NanoCore
    • 0x35c6:$a: NanoCore
    • 0x3603:$a: NanoCore
    • 0x367c:$a: NanoCore
    • 0x16d27:$a: NanoCore
    • 0x16d3c:$a: NanoCore
    • 0x16d71:$a: NanoCore
    • 0x2fce3:$a: NanoCore
    • 0x2fcf8:$a: NanoCore
    • 0x2fd2d:$a: NanoCore
    • 0x35cf:$b: ClientPlugin
    • 0x360c:$b: ClientPlugin
    • 0x3f0a:$b: ClientPlugin
    • 0x3f17:$b: ClientPlugin
    • 0x16ae3:$b: ClientPlugin
    • 0x16afe:$b: ClientPlugin
    • 0x16b2e:$b: ClientPlugin
    • 0x16d45:$b: ClientPlugin
    • 0x16d7a:$b: ClientPlugin
    • 0x2fa9f:$b: ClientPlugin
    • 0x2faba:$b: ClientPlugin
    00000009.00000002.505581360.0000000002F81000.00000004.00000001.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x19462b:$s5: AEAAAAMAAQqVT
    • 0x19459c:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    0000000C.00000002.511590947.0000000006730000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    0000000C.00000002.511590947.0000000006730000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    Click to see the 16 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    12.2.RegAsm.exe.6730000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    12.2.RegAsm.exe.6730000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    12.2.RegAsm.exe.6730000.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      12.2.RegAsm.exe.57e0000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      12.2.RegAsm.exe.57e0000.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 1020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpCCF6.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpCCF6.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 1020, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpCCF6.tmp', ProcessId: 7020

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeAvira: detection malicious, Label: TR/Kryptik.crzgg
      Found malware configurationShow sources
      Source: RegAsm.exe.1020.12.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["194.5.97.179:4488"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeReversingLabs: Detection: 33%
      Multi AV Scanner detection for submitted fileShow sources
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeVirustotal: Detection: 35%Perma Link
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000C.00000002.507975588.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.511590947.0000000006730000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.508718207.00000000040F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.501661353.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1020, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: duypca.exe PID: 4348, type: MEMORY
      Source: Yara matchFile source: 12.2.RegAsm.exe.6730000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.6730000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeJoe Sandbox ML: detected
      Source: 12.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: global trafficTCP traffic: 192.168.2.7:49733 -> 194.5.97.179:4488
      Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.179
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.290901127.0000000000C87000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comE
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.290901127.0000000000C87000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comcommN
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.290901127.0000000000C87000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comueF
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.295389484.0000000005500000.00000002.00000001.sdmp, duypca.exe, 00000009.00000002.512729648.0000000005FA0000.00000002.00000001.sdmp, duypca.exe, 00000018.00000002.358523279.0000000005E50000.00000002.00000001.sdmp, duypca.exe, 0000001D.00000002.393599398.00000000064F0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: duypca.exe, 00000009.00000002.504383990.00000000013C8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: RegAsm.exe, 0000000C.00000002.507975588.00000000040B9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000C.00000002.507975588.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.511590947.0000000006730000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.508718207.00000000040F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.501661353.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1020, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: duypca.exe PID: 4348, type: MEMORY
      Source: Yara matchFile source: 12.2.RegAsm.exe.6730000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.6730000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000C.00000002.507975588.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.511590947.0000000006730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.510302639.00000000057E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.508718207.00000000040F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.508718207.00000000040F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.501661353.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.501661353.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegAsm.exe PID: 1020, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegAsm.exe PID: 1020, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: duypca.exe PID: 4348, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: duypca.exe PID: 4348, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.RegAsm.exe.6730000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.57e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.6730000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 9_2_0179E2709_2_0179E270
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 9_2_0179E2609_2_0179E260
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 9_2_0179C2FC9_2_0179C2FC
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0305E47112_2_0305E471
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0305E48012_2_0305E480
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0305BBD412_2_0305BBD4
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0569F5F812_2_0569F5F8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0569978812_2_05699788
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0569A5D012_2_0569A5D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_06C3004012_2_06C30040
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00F43DFE22_2_00F43DFE
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 24_2_02DBC2FC24_2_02DBC2FC
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 24_2_02DBE27024_2_02DBE270
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 24_2_02DBE26024_2_02DBE260
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 29_2_019DC2FC29_2_019DC2FC
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 29_2_019DE27029_2_019DE270
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 29_2_019DE26029_2_019DE260
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: duypca.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.293761535.0000000003730000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamef8c31bfa-53ee-4064-9db4-daa09f95d3764 vs ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.293761535.0000000003730000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUAE.exe0 vs ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.299487348.0000000006AA0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.300659182.0000000006BA0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.300659182.0000000006BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.293048847.000000000273C000.00000004.00000001.sdmpBinary or memory string: OriginalFilename5052748f-9f1c-426e-b906-9a63a75888fc4 vs ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe, 00000000.00000002.289237076.00000000004F7000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeBinary or memory string: OriginalFilenameUAE.exe0 vs ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: 0000000C.00000002.507975588.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.505581360.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0000000C.00000002.511590947.0000000006730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.511590947.0000000006730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.510302639.00000000057E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.510302639.00000000057E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.508718207.00000000040F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.508718207.00000000040F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.501661353.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.501661353.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegAsm.exe PID: 1020, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegAsm.exe PID: 1020, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: duypca.exe PID: 4348, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: duypca.exe PID: 4348, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: duypca.exe PID: 4348, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\AppData\Roaming\ufdqk\Egabeq.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
      Source: 12.2.RegAsm.exe.6730000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.6730000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.RegAsm.exe.57e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.57e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.RegAsm.exe.6730000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.6730000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: duypca.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@21/14@0/1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeFile created: C:\Users\user\AppData\Roaming\ufdqkJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{4f93cfbe-a367-4157-8015-7685f37f0b95}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4404:120:WilError_01
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeMutant created: \Sessions\1\BaseNamedObjects\Fiwemsdzzitmnquzwudafospuquc
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Abwremtjfusuhbjnlacrudss
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCCF6.tmpJump to behavior
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeVirustotal: Detection: 35%
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeFile read: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe 'C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ufdqk\duypca.exe 'C:\Users\user\AppData\Roaming\ufdqk\duypca.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpCCF6.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD052.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ufdqk\duypca.exe 'C:\Users\user\AppData\Roaming\ufdqk\duypca.exe'
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ufdqk\duypca.exe 'C:\Users\user\AppData\Roaming\ufdqk\duypca.exe'
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess created: C:\Users\user\AppData\Roaming\ufdqk\duypca.exe 'C:\Users\user\AppData\Roaming\ufdqk\duypca.exe' Jump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpCCF6.tmp'Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD052.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.12.dr
      Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000C.00000002.503292774.00000000014FF000.00000004.00000020.sdmp, dhcpmon.exe, 00000016.00000000.333494504.0000000000F42000.00000002.00020000.sdmp, dhcpmon.exe, 0000001A.00000002.365171244.0000000000122000.00000002.00020000.sdmp, dhcpmon.exe.12.dr
      Source: Binary string: dows\dll\mscorlib.pdb source: RegAsm.exe, 0000000C.00000002.502978486.00000000014B5000.00000004.00000020.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 9_2_01798F18 pushad ; ret 9_2_01798F06
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 9_2_01791C7C push ebx; iretd 9_2_01791C7A
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 9_2_01791C68 push ebx; iretd 9_2_01791C7A
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_0569B5E0 push eax; retf 12_2_0569B5ED
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_056969F8 pushad ; retf 12_2_056969F9
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 12_2_056969FA push esp; retf 12_2_05696A01
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00F444A3 push es; retf 22_2_00F444A4
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00F44469 push cs; retf 22_2_00F4449E
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00F44289 push es; retf 22_2_00F44294
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 24_2_02DB6C59 push 1405286Ah; ret 24_2_02DB6C65
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 26_2_00124281 push es; retf 26_2_00124294
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 26_2_001244A3 push es; retf 26_2_001244A4
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 26_2_00124469 push cs; retf 26_2_0012449E
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 29_2_019D1C7B push ebx; iretd 29_2_019D1C7A
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeCode function: 29_2_019D1C68 push ebx; iretd 29_2_019D1C7A
      Source: initial sampleStatic PE information: section name: .text entropy: 7.64135367812
      Source: initial sampleStatic PE information: section name: .text entropy: 7.64135367812
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeFile created: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpCCF6.tmp'
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce EgabeqJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce EgabeqJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce EgabeqJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce EgabeqJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeFile opened: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeFile opened: C:\Users\user\AppData\Roaming\ufdqk\duypca.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeFile opened: C:\Users\user\AppData\Roaming\ufdqk\duypca.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ORDERS#4500121785_PO_PRODUCTS_BESOMI_LLC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ufdqk\duypca.exe